From 1ec99e604e4aa2942bd416bfeafb4ac0f4a71476 Mon Sep 17 00:00:00 2001 From: Aljoscha Bollmann Date: Sat, 21 Feb 2026 10:31:10 +0100 Subject: [PATCH] test(microsoft): test if the correct error is returned if the user is not in any of the required groups Signed-off-by: Aljoscha Bollmann --- connector/microsoft/microsoft_test.go | 34 +++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/connector/microsoft/microsoft_test.go b/connector/microsoft/microsoft_test.go index 67be660f..bbeb18fb 100644 --- a/connector/microsoft/microsoft_test.go +++ b/connector/microsoft/microsoft_test.go @@ -2,6 +2,7 @@ package microsoft import ( "encoding/json" + "errors" "fmt" "net/http" "net/http/httptest" @@ -119,6 +120,39 @@ func TestUserGroupsFromGraphAPI(t *testing.T) { expectEquals(t, identity.Groups, []string{"a", "b"}) } +func TestUserNotInRequiredGroupFromGraphAPI(t *testing.T) { + s := newTestServer(map[string]testResponse{ + "/v1.0/me?$select=id,displayName,userPrincipalName": { + data: user{ID: "user-id-123", Name: "Jane Doe", Email: "jane.doe@example.com"}, + }, + // The user is a member of groups "c" and "d", but the connector only + // allows group "a" — so the user should be denied. + "/v1.0/me/getMemberGroups": {data: map[string]interface{}{ + "value": []string{"c", "d"}, + }}, + "/" + tenant + "/oauth2/v2.0/token": dummyToken, + }) + defer s.Close() + + req, _ := http.NewRequest("GET", s.URL, nil) + + c := microsoftConnector{ + apiURL: s.URL, + graphURL: s.URL, + tenant: tenant, + groups: []string{"a"}, + } + _, err := c.HandleCallback(connector.Scopes{Groups: true}, req) + if err == nil { + t.Fatal("expected error when user is not in any required group, got nil") + } + + var groupsErr *connector.UserNotInRequiredGroupsError + if !errors.As(err, &groupsErr) { + t.Errorf("expected *connector.UserNotInRequiredGroupsError, got %T: %v", err, err) + } +} + func newTestServer(responses map[string]testResponse) *httptest.Server { s := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { response, found := responses[r.RequestURI]