diff --git a/tests/TestHelpers/GraphHelper.php b/tests/TestHelpers/GraphHelper.php index 2f0902bdc6..b6cbf0119f 100644 --- a/tests/TestHelpers/GraphHelper.php +++ b/tests/TestHelpers/GraphHelper.php @@ -1073,4 +1073,60 @@ class GraphHelper { self::getRequestHeaders() ); } + + /** + * @param string $baseUrl + * @param string $xRequestId + * @param string $user + * @param string $password + * @param string $roleId + * + * @return ResponseInterface + * @throws GuzzleException + */ + public static function getUsersWithFilterRoleAssignment( + string $baseUrl, + string $xRequestId, + string $user, + string $password, + string $roleId + ): ResponseInterface { + $url = self::getFullUrl($baseUrl, 'users' . '?$filter=appRoleAssignments/any(m:m/appRoleId ' . "eq '$roleId')"); + return HttpRequestHelper::get( + $url, + $xRequestId, + $user, + $password, + self::getRequestHeaders() + ); + } + + /** + * @param string $baseUrl + * @param string $xRequestId + * @param string $user + * @param string $password + * @param string $roleId + * @param string $groupId + * + * @return ResponseInterface + * @throws GuzzleException + */ + public static function getUsersWithFilterRolesAssignmentAndMemberOf( + string $baseUrl, + string $xRequestId, + string $user, + string $password, + string $roleId, + string $groupId + ): ResponseInterface { + $url = self::getFullUrl($baseUrl, 'users' . '?$filter=appRoleAssignments/any(m:m/appRoleId ' . "eq '$roleId') " . "and memberOf/any(m:m/id eq '$groupId')"); + return HttpRequestHelper::get( + $url, + $xRequestId, + $user, + $password, + self::getRequestHeaders() + ); + } } diff --git a/tests/acceptance/features/apiGraph/getUser.feature b/tests/acceptance/features/apiGraph/getUser.feature index f5e92927a6..fa0ea48d3d 100644 --- a/tests/acceptance/features/apiGraph/getUser.feature +++ b/tests/acceptance/features/apiGraph/getUser.feature @@ -123,3 +123,54 @@ Feature: get users | displayName | id | mail | onPremisesSamAccountName | | Alice Hansen | %uuid_v4% | alice@example.org | Alice | | Carol King | %uuid_v4% | carol@example.org | Carol | + + + Scenario Outline: non admin user tries to get users of certain groups + Given the administrator has given "Brian" the role "" using the settings api + And group "tea-lover" has been created + And user "Alice" has been added to group "tea-lover" + When the user "Brian" gets all users of the group "tea-lover" using the Graph API + Then the HTTP status code should be "401" + And the last response should be an unauthorized response + Examples: + | role | + | Space Admin | + | User | + | Guest | + + + Scenario: admin user gets all users with certain roles and members of a certain group + Given user "Carol" has been created with default attributes and without skeleton files + And the administrator has given "Brian" the role "Space Admin" using the settings api + And the administrator has given "Carol" the role "Space Admin" using the settings api + And group "tea-lover" has been created + And user "Brian" has been added to group "tea-lover" + When the user "Alice" gets all users with role "Space Admin" using the Graph API + Then the HTTP status code should be "200" + And the API response should contain following users with the information: + | displayName | id | mail | onPremisesSamAccountName | + | Brian Murphy | %uuid_v4% | brian@example.org | Brian | + | Carol King | %uuid_v4% | carol@example.org | Carol | + But the API response should not contain following user with the information: + | displayName | id | mail | onPremisesSamAccountName | + | Alice Hansen | %uuid_v4% | alice@example.org | Alice | + When the user "Alice" gets all users with role "Space Admin" and member of the group "tea-lover" using the Graph API + Then the HTTP status code should be "200" + And the API response should contain following users with the information: + | displayName | id | mail | onPremisesSamAccountName | + | Brian Murphy | %uuid_v4% | brian@example.org | Brian | + But the API response should not contain following user with the information: + | displayName | id | mail | onPremisesSamAccountName | + | Carol King | %uuid_v4% | carol@example.org | Carol | + + + Scenario Outline: non-admin user tries to get users with a certain role + Given the administrator has given "Brian" the role "" using the settings api + When the user "Brian" gets all users with role "Admin" using the Graph API + Then the HTTP status code should be "401" + And the last response should be an unauthorized response + Examples: + | role | + | Space Admin | + | User | + | Guest | diff --git a/tests/acceptance/features/bootstrap/GraphContext.php b/tests/acceptance/features/bootstrap/GraphContext.php index 0b084b4430..9c97d197dc 100644 --- a/tests/acceptance/features/bootstrap/GraphContext.php +++ b/tests/acceptance/features/bootstrap/GraphContext.php @@ -1563,4 +1563,72 @@ class GraphContext implements Context { ); $this->featureContext->setResponse($response); } + + /** + * Get roleId by role name + * + * @param string $role + * + * @return string + * @throws GuzzleException + */ + public function getRoleIdByRoleName(string $role): string { + $response = GraphHelper::getApplications( + $this->featureContext->getBaseUrl(), + $this->featureContext->getStepLineRef(), + $this->featureContext->getAdminUsername(), + $this->featureContext->getAdminPassword() + ); + $responseData = \json_decode($response->getBody()->getContents(), true, 512, JSON_THROW_ON_ERROR); + if (isset($responseData["value"][0]["appRoles"])) { + foreach ($responseData["value"][0]["appRoles"] as $value) { + if ($value["displayName"] === $role) { + return $value["id"]; + } + } + throw new Exception(__METHOD__ . " role with name $role not found"); + } + } + + /** + * @When the user :user gets all users with role :role using the Graph API + * + * @param string $user + * @param string $role + * + * @return void + * @throws GuzzleException + */ + public function userGetsAllUsersWithRoleUsingTheGraphApi(string $user, string $role) { + $response = GraphHelper::getUsersWithFilterRoleAssignment( + $this->featureContext->getBaseUrl(), + $this->featureContext->getStepLineRef(), + $user, + $this->featureContext->getPasswordForUser($user), + $this->getRoleIdByRoleName($role) + ); + $this->featureContext->setResponse($response); + } + + /** + * @When the user :user gets all users with role :role and member of the group :group using the Graph API + * + * @param string $user + * @param string $role + * @param string $group + * + * @return void + * @throws GuzzleException + */ + public function userGetsAllUsersWithRoleAndMemberOfGroupUsingTheGraphApi(string $user, string $role, string $group) { + $response = GraphHelper::getUsersWithFilterRolesAssignmentAndMemberOf( + $this->featureContext->getBaseUrl(), + $this->featureContext->getStepLineRef(), + $user, + $this->featureContext->getPasswordForUser($user), + $this->getRoleIdByRoleName($role), + $this->featureContext->getGroupIdByGroupName($group) + ); + $this->featureContext->setResponse($response); + } }