[test-only] ApiTest. test for filter appRoleAssigment (#5629)

* add test for filter * fixed typos
2026-01-04 03:09:33 -06:00 · 2023-02-23 09:53:12 +01:00
parent 804d177705
commit 56d3192fc7
3 changed files with 175 additions and 0 deletions
--- a/tests/TestHelpers/GraphHelper.php
+++ b/tests/TestHelpers/GraphHelper.php
@@ -1073,4 +1073,60 @@ class GraphHelper {
 			self::getRequestHeaders()
 		);
 	}
+
+	/**
+	 * @param string $baseUrl
+	 * @param string $xRequestId
+	 * @param string $user
+	 * @param string $password
+	 * @param string $roleId
+	 *
+	 * @return ResponseInterface
+	 * @throws GuzzleException
+	 */
+	public static function getUsersWithFilterRoleAssignment(
+		string $baseUrl,
+		string $xRequestId,
+		string $user,
+		string $password,
+		string $roleId
+	): ResponseInterface {
+		$url = self::getFullUrl($baseUrl, 'users' . '?$filter=appRoleAssignments/any(m:m/appRoleId ' . "eq '$roleId')");
+		return HttpRequestHelper::get(
+			$url,
+			$xRequestId,
+			$user,
+			$password,
+			self::getRequestHeaders()
+		);
+	}
+
+	/**
+	 * @param string $baseUrl
+	 * @param string $xRequestId
+	 * @param string $user
+	 * @param string $password
+	 * @param string $roleId
+	 * @param string $groupId
+	 *
+	 * @return ResponseInterface
+	 * @throws GuzzleException
+	 */
+	public static function getUsersWithFilterRolesAssignmentAndMemberOf(
+		string $baseUrl,
+		string $xRequestId,
+		string $user,
+		string $password,
+		string $roleId,
+		string $groupId
+	): ResponseInterface {
+		$url = self::getFullUrl($baseUrl, 'users' . '?$filter=appRoleAssignments/any(m:m/appRoleId ' . "eq '$roleId') " . "and memberOf/any(m:m/id eq '$groupId')");
+		return HttpRequestHelper::get(
+			$url,
+			$xRequestId,
+			$user,
+			$password,
+			self::getRequestHeaders()
+		);
+	}
 }
--- a/tests/acceptance/features/apiGraph/getUser.feature
+++ b/tests/acceptance/features/apiGraph/getUser.feature
@@ -123,3 +123,54 @@ Feature: get users
      | displayName  | id        | mail              | onPremisesSamAccountName |
      | Alice Hansen | %uuid_v4% | alice@example.org | Alice                    |
      | Carol King   | %uuid_v4% | carol@example.org | Carol                    |
+
+
+  Scenario Outline: non admin user tries to get users of certain groups
+    Given the administrator has given "Brian" the role "<role>" using the settings api
+    And group "tea-lover" has been created
+    And user "Alice" has been added to group "tea-lover"
+    When the user "Brian" gets all users of the group "tea-lover" using the Graph API
+    Then the HTTP status code should be "401"
+    And the last response should be an unauthorized response
+    Examples:
+      | role        |
+      | Space Admin |
+      | User        |
+      | Guest       |
+
+
+  Scenario: admin user gets all users with certain roles and members of a certain group
+    Given user "Carol" has been created with default attributes and without skeleton files
+    And the administrator has given "Brian" the role "Space Admin" using the settings api
+    And the administrator has given "Carol" the role "Space Admin" using the settings api
+    And group "tea-lover" has been created
+    And user "Brian" has been added to group "tea-lover"
+    When the user "Alice" gets all users with role "Space Admin" using the Graph API
+    Then the HTTP status code should be "200"
+    And the API response should contain following users with the information:
+      | displayName  | id        | mail              | onPremisesSamAccountName |
+      | Brian Murphy | %uuid_v4% | brian@example.org | Brian                    |
+      | Carol King   | %uuid_v4% | carol@example.org | Carol                    |
+    But the API response should not contain following user with the information:
+      | displayName  | id        | mail              | onPremisesSamAccountName |
+      | Alice Hansen | %uuid_v4% | alice@example.org | Alice                    |
+    When the user "Alice" gets all users with role "Space Admin" and member of the group "tea-lover" using the Graph API
+    Then the HTTP status code should be "200"
+    And the API response should contain following users with the information:
+      | displayName  | id        | mail              | onPremisesSamAccountName |
+      | Brian Murphy | %uuid_v4% | brian@example.org | Brian                    |
+    But the API response should not contain following user with the information:
+      | displayName | id        | mail              | onPremisesSamAccountName |
+      | Carol King  | %uuid_v4% | carol@example.org | Carol                    |
+
+
+  Scenario Outline: non-admin user tries to get users with a certain role
+    Given the administrator has given "Brian" the role "<role>" using the settings api
+    When the user "Brian" gets all users with role "Admin" using the Graph API
+    Then the HTTP status code should be "401"
+    And the last response should be an unauthorized response
+    Examples:
+      | role        |
+      | Space Admin |
+      | User        |
+      | Guest       |
--- a/tests/acceptance/features/bootstrap/GraphContext.php
+++ b/tests/acceptance/features/bootstrap/GraphContext.php
@@ -1563,4 +1563,72 @@ class GraphContext implements Context {
 		);
 		$this->featureContext->setResponse($response);
 	}
+
+	/**
+	 * Get roleId by role name
+	 *
+	 * @param string $role
+	 *
+	 * @return string
+	 * @throws GuzzleException
+	 */
+	public function getRoleIdByRoleName(string $role): string {
+		$response = GraphHelper::getApplications(
+			$this->featureContext->getBaseUrl(),
+			$this->featureContext->getStepLineRef(),
+			$this->featureContext->getAdminUsername(),
+			$this->featureContext->getAdminPassword()
+		);
+		$responseData = \json_decode($response->getBody()->getContents(), true, 512, JSON_THROW_ON_ERROR);
+		if (isset($responseData["value"][0]["appRoles"])) {
+			foreach ($responseData["value"][0]["appRoles"] as $value) {
+				if ($value["displayName"] === $role) {
+					return $value["id"];
+				}
+			}
+			throw new Exception(__METHOD__ . " role with name $role not found");
+		}
+	}
+
+	/**
+	 * @When the user :user gets all users with role :role using the Graph API
+	 *
+	 * @param string $user
+	 * @param string $role
+	 *
+	 * @return void
+	 * @throws GuzzleException
+	 */
+	public function userGetsAllUsersWithRoleUsingTheGraphApi(string $user, string $role) {
+		$response = GraphHelper::getUsersWithFilterRoleAssignment(
+			$this->featureContext->getBaseUrl(),
+			$this->featureContext->getStepLineRef(),
+			$user,
+			$this->featureContext->getPasswordForUser($user),
+			$this->getRoleIdByRoleName($role)
+		);
+		$this->featureContext->setResponse($response);
+	}
+
+	/**
+	 * @When the user :user gets all users with role :role and member of the group :group using the Graph API
+	 *
+	 * @param string $user
+	 * @param string $role
+	 * @param string $group
+	 *
+	 * @return void
+	 * @throws GuzzleException
+	 */
+	public function userGetsAllUsersWithRoleAndMemberOfGroupUsingTheGraphApi(string $user, string $role, string $group) {
+		$response = GraphHelper::getUsersWithFilterRolesAssignmentAndMemberOf(
+			$this->featureContext->getBaseUrl(),
+			$this->featureContext->getStepLineRef(),
+			$user,
+			$this->featureContext->getPasswordForUser($user),
+			$this->getRoleIdByRoleName($role),
+			$this->featureContext->getGroupIdByGroupName($group)
+		);
+		$this->featureContext->setResponse($response);
+	}
 }