diff --git a/api/src/routes/api/spec/group.spec.ts b/api/src/routes/api/spec/group.spec.ts index fe1072e..56af21a 100644 --- a/api/src/routes/api/spec/group.spec.ts +++ b/api/src/routes/api/spec/group.spec.ts @@ -4,8 +4,13 @@ import { MongoMemoryServer } from 'mongodb-memory-server' import request from 'supertest' import appPromise from '../../../app' import { UserController, GroupController } from '../../../controllers/' -import { generateAccessToken, saveTokensInDB } from '../../../utils' -import { PUBLIC_GROUP_NAME } from '../../../model/Group' +import { + generateAccessToken, + saveTokensInDB, + AuthProviderType +} from '../../../utils' +import Group, { PUBLIC_GROUP_NAME } from '../../../model/Group' +import User from '../../../model/User' const clientId = 'someclientID' const adminUser = { @@ -560,6 +565,46 @@ describe('group', () => { `Can't add/remove user to '${PUBLIC_GROUP_NAME}' group.` ) }) + + it('should respond with Method Not Allowed if group is created by an external authProvider', async () => { + const dbGroup = await Group.create({ + ...group, + authProvider: AuthProviderType.LDAP + }) + const dbUser = await userController.createUser({ + ...user, + username: 'ldapGroupUser' + }) + + const res = await request(app) + .post(`/SASjsApi/group/${dbGroup.groupId}/${dbUser.id}`) + .auth(adminAccessToken, { type: 'bearer' }) + .send() + .expect(405) + + expect(res.text).toEqual( + `Can't add/remove user to group created by external auth provider.` + ) + }) + + it('should respond with Method Not Allowed if user is created by an external authProvider', async () => { + const dbGroup = await groupController.createGroup(group) + const dbUser = await User.create({ + ...user, + username: 'ldapUser', + authProvider: AuthProviderType.LDAP + }) + + const res = await request(app) + .post(`/SASjsApi/group/${dbGroup.groupId}/${dbUser.id}`) + .auth(adminAccessToken, { type: 'bearer' }) + .send() + .expect(405) + + expect(res.text).toEqual( + `Can't add/remove user to group created by external auth provider.` + ) + }) }) describe('RemoveUser', () => { @@ -611,6 +656,46 @@ describe('group', () => { expect(res.body.groups).toEqual([]) }) + it('should respond with Method Not Allowed if group is created by an external authProvider', async () => { + const dbGroup = await Group.create({ + ...group, + authProvider: AuthProviderType.LDAP + }) + const dbUser = await userController.createUser({ + ...user, + username: 'removeLdapGroupUser' + }) + + const res = await request(app) + .delete(`/SASjsApi/group/${dbGroup.groupId}/${dbUser.id}`) + .auth(adminAccessToken, { type: 'bearer' }) + .send() + .expect(405) + + expect(res.text).toEqual( + `Can't add/remove user to group created by external auth provider.` + ) + }) + + it('should respond with Method Not Allowed if user is created by an external authProvider', async () => { + const dbGroup = await groupController.createGroup(group) + const dbUser = await User.create({ + ...user, + username: 'removeLdapUser', + authProvider: AuthProviderType.LDAP + }) + + const res = await request(app) + .delete(`/SASjsApi/group/${dbGroup.groupId}/${dbUser.id}`) + .auth(adminAccessToken, { type: 'bearer' }) + .send() + .expect(405) + + expect(res.text).toEqual( + `Can't add/remove user to group created by external auth provider.` + ) + }) + it('should respond with Unauthorized if access token is not present', async () => { const res = await request(app) .delete('/SASjsApi/group/123/123') diff --git a/api/src/routes/api/spec/user.spec.ts b/api/src/routes/api/spec/user.spec.ts index b2e000f..da8b829 100644 --- a/api/src/routes/api/spec/user.spec.ts +++ b/api/src/routes/api/spec/user.spec.ts @@ -4,7 +4,12 @@ import { MongoMemoryServer } from 'mongodb-memory-server' import request from 'supertest' import appPromise from '../../../app' import { UserController, GroupController } from '../../../controllers/' -import { generateAccessToken, saveTokensInDB } from '../../../utils' +import { + generateAccessToken, + saveTokensInDB, + AuthProviderType +} from '../../../utils' +import User from '../../../model/User' const clientId = 'someclientID' const adminUser = { @@ -226,6 +231,36 @@ describe('user', () => { .expect(400) }) + it('should respond with Method Not Allowed, when updating username of user created by an external auth provider', async () => { + const dbUser = await User.create({ + ...user, + authProvider: AuthProviderType.LDAP + }) + const accessToken = await generateAndSaveToken(dbUser!.id) + const newUsername = 'newUsername' + + await request(app) + .patch(`/SASjsApi/user/${dbUser!.id}`) + .auth(accessToken, { type: 'bearer' }) + .send({ username: newUsername }) + .expect(405) + }) + + it('should respond with Method Not Allowed, when updating displayName of user created by an external auth provider', async () => { + const dbUser = await User.create({ + ...user, + authProvider: AuthProviderType.LDAP + }) + const accessToken = await generateAndSaveToken(dbUser!.id) + const newDisplayName = 'My new display Name' + + await request(app) + .patch(`/SASjsApi/user/${dbUser!.id}`) + .auth(accessToken, { type: 'bearer' }) + .send({ displayName: newDisplayName }) + .expect(405) + }) + it('should respond with Unauthorized if access token is not present', async () => { const res = await request(app) .patch('/SASjsApi/user/1234')