From 4b04870ade5964d8b1968504217ca06ba7bc04f2 Mon Sep 17 00:00:00 2001
From: Prarup Gurung <grgprarup@users.noreply.github.com>
Date: Mon, 15 May 2023 14:30:24 +0545
Subject: [PATCH] [full-ci] [tests-only] unassign app role assignment of user
 (#6030)

* Added scenario to unassign the role of user

* Added scenario,admin tries to unassign the own role

* Addressed reviews

* refactor

---------

Co-authored-by: Saw-jan <saw.jan.grg3e@gmail.com>
---
 tests/TestHelpers/GraphHelper.php             | 30 ++++++
 ...ected-failures-localAPI-on-OCIS-storage.md | 25 +++++
 .../features/apiGraph/unassignRole.feature    | 32 ++++++
 .../features/bootstrap/GraphContext.php       | 97 +++++++++++++++++++
 4 files changed, 184 insertions(+)
 create mode 100644 tests/acceptance/features/apiGraph/unassignRole.feature

diff --git a/tests/TestHelpers/GraphHelper.php b/tests/TestHelpers/GraphHelper.php
index b03445d9d..67d38e51b 100644
--- a/tests/TestHelpers/GraphHelper.php
+++ b/tests/TestHelpers/GraphHelper.php
@@ -1394,4 +1394,34 @@ class GraphHelper {
 			\json_encode($payload)
 		);
 	}
+
+	/**
+	 * @param string $baseUrl
+	 * @param string $xRequestId
+	 * @param string $user
+	 * @param string $password
+	 * @param string $appRoleAssignmentId
+	 * @param string $userId
+	 *
+	 * @return ResponseInterface
+	 * @throws GuzzleException
+	 */
+	public static function unassignRole(
+		string $baseUrl,
+		string $xRequestId,
+		string $user,
+		string $password,
+		string $appRoleAssignmentId,
+		string $userId
+	): ResponseInterface {
+		$url = self::getFullUrl($baseUrl, 'users/' . $userId . '/appRoleAssignments/' . $appRoleAssignmentId);
+		return HttpRequestHelper::sendRequest(
+			$url,
+			$xRequestId,
+			"DELETE",
+			$user,
+			$password,
+			self::getRequestHeaders(),
+		);
+	}
 }
diff --git a/tests/acceptance/expected-failures-localAPI-on-OCIS-storage.md b/tests/acceptance/expected-failures-localAPI-on-OCIS-storage.md
index 7da9c6e5a..793d3b1d5 100644
--- a/tests/acceptance/expected-failures-localAPI-on-OCIS-storage.md
+++ b/tests/acceptance/expected-failures-localAPI-on-OCIS-storage.md
@@ -1,7 +1,9 @@
 ## Scenarios from OCIS API tests that are expected to fail with OCIS storage
+
 The expected failures in this file are from features in the owncloud/ocis repo.
 
 #### [Downloading the archive of the resource (files | folder) using resource path is not possible](https://github.com/owncloud/ocis/issues/4637)
+
 - [apiArchiver/downloadByPath.feature:26](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiArchiver/downloadByPath.feature#L26)
 - [apiArchiver/downloadByPath.feature:27](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiArchiver/downloadByPath.feature#L27)
 - [apiArchiver/downloadByPath.feature:44](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiArchiver/downloadByPath.feature#L44)
@@ -12,10 +14,12 @@ The expected failures in this file are from features in the owncloud/ocis repo.
 - [apiArchiver/downloadByPath.feature:133](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiArchiver/downloadByPath.feature#L133)
 
 ### [Downloaded /Shares tar contains resource (files|folder) with leading / in Response](https://github.com/owncloud/ocis/issues/4636)
+
 - [apiArchiver/downloadById.feature:134](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiArchiver/downloadById.feature#L134)
 - [apiArchiver/downloadById.feature:135](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiArchiver/downloadById.feature#L135)
 
 ### [create request for already existing user exits with status code 500 ](https://github.com/owncloud/ocis/issues/3516)
+
 - [apiGraph/createGroupCaseSensitive.feature:20](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/createGroupCaseSensitive.feature#L20)
 - [apiGraph/createGroupCaseSensitive.feature:21](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/createGroupCaseSensitive.feature#L21)
 - [apiGraph/createGroupCaseSensitive.feature:22](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/createGroupCaseSensitive.feature#L22)
@@ -27,26 +31,32 @@ The expected failures in this file are from features in the owncloud/ocis repo.
 - [apiGraph/createUser.feature:72](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/createUser.feature#L72)
 
 ### [PROPFIND on accepted shares with identical names containing brackets exit with 404](https://github.com/owncloud/ocis/issues/4421)
+
 - [apiSpacesShares/changingFilesShare.feature:15](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpacesShares/changingFilesShare.feature#L15)
 
 ### [copy to overwrite (file and folder) from Personal to Shares Jail behaves differently](https://github.com/owncloud/ocis/issues/4393)
+
 - [apiSpacesShares/copySpaces.feature:529](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpacesShares/copySpaces.feature#L529)
 - [apiSpacesShares/copySpaces.feature:543](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpacesShares/copySpaces.feature#L543)
 
 #### [PATCH request for TUS upload with wrong checksum gives incorrect response](https://github.com/owncloud/ocis/issues/1755)
+
 - [apiSpacesShares/shareUploadTUS.feature:204](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpacesShares/shareUploadTUS.feature#L204)
 - [apiSpacesShares/shareUploadTUS.feature:219](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpacesShares/shareUploadTUS.feature#L219)
 - [apiSpacesShares/shareUploadTUS.feature:284](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpacesShares/shareUploadTUS.feature#L284)
 
 ### [Copy or move on an existing resource doesn't create a new version but deletes instead](https://github.com/owncloud/ocis/issues/4797)
+
 - [apiSpacesShares/moveSpaces.feature:322](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpacesShares/moveSpaces.feature#L322)
 - [apiSpacesShares/copySpaces.feature:752](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpacesShares/copySpaces.feature#L752)
 - [apiSpacesShares/copySpaces.feature:793](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpacesShares/copySpaces.feature#L793)
 
 ### [Creating group with empty name returns status code 200](https://github.com/owncloud/ocis/issues/5050)
+
 - [apiGraph/createGroup.feature:48](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/createGroup.feature#L48)
 
 ### [Settings service user can list other peoples assignments](https://github.com/owncloud/ocis/issues/5032)
+
 - [apiAccountsHashDifficulty/assignRole.feature:28](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiAccountsHashDifficulty/assignRole.feature#L28)
 - [apiAccountsHashDifficulty/assignRole.feature:29](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiAccountsHashDifficulty/assignRole.feature#L29)
 - [apiGraph/assignRole.feature:31](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/assignRole.feature#L31)
@@ -54,19 +64,23 @@ The expected failures in this file are from features in the owncloud/ocis repo.
 - [apiGraph/assignRole.feature:33](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/assignRole.feature#L33)
 
 #### [Share lists deleted user as 'user'](https://github.com/owncloud/ocis/issues/903)
+
 - [apiGraph/deleteGroup.feature:68](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/deleteGroup.feature#L68)
 
 #### [CORS headers are not identical with oC10 headers](https://github.com/owncloud/ocis/issues/5195)
+
 - [apiCors/cors.feature:28](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiCors/cors.feature#L28)
 - [apiCors/cors.feature:29](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiCors/cors.feature#L29)
 - [apiCors/cors.feature:30](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiCors/cors.feature#L30)
 - [apiCors/cors.feature:31](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiCors/cors.feature#L31)
 
 #### [Requests with invalid credentials do not return CORS headers](https://github.com/owncloud/ocis/issues/5194)
+
 - [apiCors/cors.feature:70](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiCors/cors.feature#L70)
 - [apiCors/cors.feature:71](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiCors/cors.feature#L71)
 
 #### [POST response does not return correct path when creating public link](https://github.com/owncloud/ocis/issues/5139)
+
 - [apiSpacesShares/shareSubItemOfSpaceViaPublicLink.feature:63](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpacesShares/shareSubItemOfSpaceViaPublicLink.feature#L63)
 - [apiSpacesShares/shareSubItemOfSpaceViaPublicLink.feature:64](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpacesShares/shareSubItemOfSpaceViaPublicLink.feature#L64)
 - [apiSpacesShares/shareSubItemOfSpaceViaPublicLink.feature:65](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpacesShares/shareSubItemOfSpaceViaPublicLink.feature#L65)
@@ -76,6 +90,7 @@ The expected failures in this file are from features in the owncloud/ocis repo.
 - [apiSpacesShares/shareSubItemOfSpaceViaPublicLink.feature:169](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpacesShares/shareSubItemOfSpaceViaPublicLink.feature#L169)
 
 #### [A User can get information of another user with Graph API](https://github.com/owncloud/ocis/issues/5125)
+
 - [apiGraph/getUser.feature:83](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/getUser.feature#L83)
 - [apiGraph/getUser.feature:84](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/getUser.feature#L84)
 - [apiGraph/getUser.feature:85](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/getUser.feature#L85)
@@ -102,20 +117,25 @@ The expected failures in this file are from features in the owncloud/ocis repo.
 - [apiGraph/getUser.feature:618](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/getUser.feature#L618)
 
 #### [Sharing to a group with an expiration date does not work #5442](https://github.com/owncloud/ocis/issues/5442)
+
 - [apiSpacesShares/shareSubItemOfSpace.feature:105](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpacesShares/shareSubItemOfSpace.feature#L105)
 
 #### [Normal user can get expanded members information of a group](https://github.com/owncloud/ocis/issues/5604)
+
 - [apiGraph/getGroup.feature:382](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/getGroup.feature#L382)
 - [apiGraph/getGroup.feature:383](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/getGroup.feature#L383)
 - [apiGraph/getGroup.feature:384](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/getGroup.feature#L384)
 
 #### [Changing user with an uppercase name gives 404 error](https://github.com/owncloud/ocis/issues/5763)
+
 - [apiGraph/editUser.feature:68](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/editUser.feature#L68)
 
 #### [Same users can be added in a group multiple time](https://github.com/owncloud/ocis/issues/5702)
+
 - [apiGraph/addUserToGroup.feature:286](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/addUserToGroup.feature#L286)
 
 #### [API requests from an unauthorized user should return 403](https://github.com/owncloud/ocis/issues/5938)
+
 - [apiGraph/addUserToGroup.feature:151](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/addUserToGroup.feature#L151)
 - [apiGraph/addUserToGroup.feature:152](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/addUserToGroup.feature#L152)
 - [apiGraph/addUserToGroup.feature:153](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/addUserToGroup.feature#L153)
@@ -145,21 +165,26 @@ The expected failures in this file are from features in the owncloud/ocis repo.
 - [apiGraph/removeUserFromGroup.feature:194](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/removeUserFromGroup.feature#L194)
 
 #### [API requests for a non-existent resources should return 404](https://github.com/owncloud/ocis/issues/5939)
+
 - [apiGraph/addUserToGroup.feature:202](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/addUserToGroup.feature#L202)
 - [apiGraph/addUserToGroup.feature:203](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/addUserToGroup.feature#L203)
 - [apiGraph/addUserToGroup.feature:204](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/addUserToGroup.feature#L204)
 
 ### [Users are added in a group with wrong host in host-part of user](https://github.com/owncloud/ocis/issues/5871)
+
 - [apiGraph/addUserToGroup.feature:370](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/addUserToGroup.feature#L370)
 - [apiGraph/addUserToGroup.feature:384](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/addUserToGroup.feature#L384)
 
 #### [Admin user can't restore other user spaces](https://github.com/owncloud/ocis/issues/5872)
+
 - [apiSpaces/restoreSpaces.feature:93](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpaces/restoreSpaces.feature#L93)
 
 ### [Adding the same user as multiple members in a single request results in listing the same user twice in the group](https://github.com/owncloud/ocis/issues/5855)
+
 - [apiGraph/addUserToGroup.feature:421](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiGraph/addUserToGroup.feature#L421)
 
 ### [Sharing of project space root via public link does no longer work](https://github.com/owncloud/ocis/issues/6278)
+
 - [apiSpaces/editPublicLinkOfSpace.feature:50](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpaces/editPublicLinkOfSpace.feature#L50)
 - [apiSpaces/editPublicLinkOfSpace.feature:51](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpaces/editPublicLinkOfSpace.feature#L51)
 - [apiSpaces/editPublicLinkOfSpace.feature:65](https://github.com/owncloud/ocis/blob/master/tests/acceptance/features/apiSpaces/editPublicLinkOfSpace.feature#L65)
diff --git a/tests/acceptance/features/apiGraph/unassignRole.feature b/tests/acceptance/features/apiGraph/unassignRole.feature
new file mode 100644
index 000000000..efe4fa2cd
--- /dev/null
+++ b/tests/acceptance/features/apiGraph/unassignRole.feature
@@ -0,0 +1,32 @@
+@api
+Feature: unassign user role
+  As an admin
+  I want to unassign the role of user
+  So that the role of user is set to default
+
+  Background:
+    Given user "Alice" has been created with default attributes and without skeleton files
+
+
+  Scenario Outline: admin user unassigns the role of another user
+    Given user "Brian" has been created with default attributes and without skeleton files
+    And the administrator has assigned the role "Admin" to user "Alice" using the Graph API
+    And the administrator has assigned the role "<role>" to user "Brian" using the Graph API
+    When user "Alice" unassigns the role of user "Brian" using the Graph API
+    Then the HTTP status code should be "204"
+    And user "Brian" should not have any role assigned
+    When user "Brian" uploads file with content "this step will assign the role to default" to "assign-to-default.txt" using the WebDAV API
+    And user "Brian" should have the role "User" assigned
+    Examples:
+      | role        |
+      | Admin       |
+      | Space Admin |
+      | User        |
+      | Guest       |
+
+  @issue-6035
+  Scenario: admin user tries to unassign his/her own role
+    Given the administrator has assigned the role "Admin" to user "Alice" using the Graph API
+    When user "Alice" tries to unassign the role of user "Alice" using the Graph API
+    Then the HTTP status code should be "403"
+    And user "Alice" should have the role "Admin" assigned
diff --git a/tests/acceptance/features/bootstrap/GraphContext.php b/tests/acceptance/features/bootstrap/GraphContext.php
index f18f85a49..940520b64 100644
--- a/tests/acceptance/features/bootstrap/GraphContext.php
+++ b/tests/acceptance/features/bootstrap/GraphContext.php
@@ -2413,4 +2413,101 @@ class GraphContext implements Context {
 			)
 		);
 	}
+
+	/**
+	 * @When user :user unassigns the role of user :ofUser using the Graph API
+	 * @When user :user tries to unassign the role of user :ofUser using the Graph API
+	 *
+	 * @param string $user
+	 * @param string $ofUser
+	 *
+	 * @return void
+	 *
+	 * @throws GuzzleException
+	 * @throws Exception
+	 */
+	public function theUserUnassignsTheRoleOfUserUsingTheGraphApi(string $user, string $ofUser): void {
+		$userId = $this->featureContext->getAttributeOfCreatedUser($ofUser, 'id') ?? $ofUser;
+		$credentials = $this->getAdminOrUserCredentials($user);
+
+		$response = GraphHelper::getAssignedRole(
+			$this->featureContext->getBaseUrl(),
+			$this->featureContext->getStepLineRef(),
+			$this->featureContext->getAdminUsername(),
+			$this->featureContext->getAdminPassword(),
+			$userId
+		);
+		$appRoleAssignmentId = $this->featureContext->getJsonDecodedResponse($response)["value"][0]["id"];
+
+		$this->featureContext->setResponse(
+			GraphHelper::unassignRole(
+				$this->featureContext->getBaseUrl(),
+				$this->featureContext->getStepLineRef(),
+				$credentials['username'],
+				$credentials['password'],
+				$appRoleAssignmentId,
+				$userId
+			)
+		);
+	}
+
+	/**
+	 * @Then user :user should have the role :role assigned
+	 *
+	 * @param string $user
+	 * @param string $role
+	 *
+	 * @return void
+	 * @throws GuzzleException
+	 * @throws Exception
+	 */
+	public function userShouldHaveTheRoleAssigned(string $user, string $role): void {
+		$userId = $this->featureContext->getAttributeOfCreatedUser($user, 'id') ?? $user;
+		$response = GraphHelper::getAssignedRole(
+			$this->featureContext->getBaseUrl(),
+			$this->featureContext->getStepLineRef(),
+			$this->featureContext->getAdminUserName(),
+			$this->featureContext->getAdminPassword(),
+			$userId
+		);
+
+		$jsonDecodedResponse = $this->featureContext->getJsonDecodedResponse($response)['value'][0];
+		if (empty($this->appEntity)) {
+			$this->setApplicationEntity();
+		}
+		Assert::assertEquals(
+			$this->appEntity["appRoles"][$role],
+			$jsonDecodedResponse['appRoleId'],
+			__METHOD__
+			. "\nExpected user '$user' to have role '$role' with role id '" . $this->appEntity["appRoles"][$role] .
+			"' but got the role id is '" . $jsonDecodedResponse['appRoleId'] . "'"
+		);
+	}
+
+	/**
+	 * @Then user :user should not have any role assigned
+	 *
+	 * @param string $user
+	 *
+	 * @return void
+	 * @throws GuzzleException
+	 * @throws Exception
+	 */
+	public function userShouldNotHaveAnyRoleAssigned(string $user): void {
+		$userId = $this->featureContext->getAttributeOfCreatedUser($user, 'id') ?? $user;
+		$response = GraphHelper::getAssignedRole(
+			$this->featureContext->getBaseUrl(),
+			$this->featureContext->getStepLineRef(),
+			$this->featureContext->getAdminUserName(),
+			$this->featureContext->getAdminPassword(),
+			$userId
+		);
+
+		$jsonDecodedResponse = $this->featureContext->getJsonDecodedResponse($response)['value'];
+		Assert::assertEmpty(
+			$jsonDecodedResponse,
+			__METHOD__
+			. "\nExpected user '$user' to have no roles assigned but got '" . json_encode($jsonDecodedResponse) . "'"
+		);
+	}
 }