From a01a77c04c7830c74fe258c4ca48689ae7031bd1 Mon Sep 17 00:00:00 2001 From: Robert McLeod Date: Tue, 18 Feb 2020 23:11:06 +1100 Subject: [PATCH] Add role assertions and route tests to group functions --- functions/Get-Group.ps1 | 2 + functions/New-Group.ps1 | 2 + functions/Remove-Group.ps1 | 2 + functions/Update-Group.ps1 | 2 + tests/Routes-Groups.tests.ps1 | 241 ++++++++++++++++++++++++++++++++++ 5 files changed, 249 insertions(+) create mode 100644 tests/Routes-Groups.tests.ps1 diff --git a/functions/Get-Group.ps1 b/functions/Get-Group.ps1 index 6707ed2..802a3c6 100644 --- a/functions/Get-Group.ps1 +++ b/functions/Get-Group.ps1 @@ -41,6 +41,8 @@ function Get-Group { $Context = $null ) + Assert-IsAgent -Context $Context + $key = 'groups' switch ($PSCMDlet.ParameterSetName) { diff --git a/functions/New-Group.ps1 b/functions/New-Group.ps1 index 596668a..a45f2f0 100644 --- a/functions/New-Group.ps1 +++ b/functions/New-Group.ps1 @@ -18,6 +18,8 @@ function New-Group { $Context = $null ) + Assert-IsAdmin -Context $Context + $path = '/api/v2/groups.json' $body = @{ group = @{ diff --git a/functions/Remove-Group.ps1 b/functions/Remove-Group.ps1 index 3ecaf54..c0523ff 100644 --- a/functions/Remove-Group.ps1 +++ b/functions/Remove-Group.ps1 @@ -18,6 +18,8 @@ function Remove-Group { $Context = $null ) + Assert-IsAdmin -Context $Context + $path = "/api/v2/groups/$Id.json" if ($PSCmdlet.ShouldProcess($Id, "Delete Group")) { diff --git a/functions/Update-Group.ps1 b/functions/Update-Group.ps1 index 57545be..2b1a758 100644 --- a/functions/Update-Group.ps1 +++ b/functions/Update-Group.ps1 @@ -25,6 +25,8 @@ function Update-Group { $Context = $null ) + Assert-IsAdmin -Context $Context + $path = "/api/v2/groups/$Id.json" $body = @{ group = @{ diff --git a/tests/Routes-Groups.tests.ps1 b/tests/Routes-Groups.tests.ps1 new file mode 100644 index 0000000..b5b59bb --- /dev/null +++ b/tests/Routes-Groups.tests.ps1 @@ -0,0 +1,241 @@ +[Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSAvoidUsingConvertToSecureStringWithPlainText', '')] +Param() + +Import-Module "$PSScriptRoot/../PwshZendesk.psm1" -Force + +Describe 'Groups Routes' { + + InModuleScope PwshZendesk { + + $IsInteractive = [Environment]::GetCommandLineArgs() -join ' ' -notmatch '-NonI' + + $context = @{ + Organization = 'company' + BaseUrl = 'https://company.testdesk.com' + Credential = [System.Management.Automation.PSCredential]::New('email', ('api-key' | ConvertTo-SecureString -AsPlainText -Force)) + User = [PSCustomObject]@{ role = '' } + } + $context | Add-Member -TypeName 'ZendeskContext' + + Mock -ModuleName PwshZendesk Invoke-RestMethod { [PSCustomObject]@{ group = $null; groups = $null } } + + Context 'List Groups' { + It 'Matches the endpoint' { + if ($IsInteractive) { + throw 'Please run test in non-interactive mode' + } + + $context.User.role = 'admin' + + { Get-Group -Context $context } | Should -Not -Throw + Assert-MockCalled Invoke-RestMethod -Exactly 1 -ParameterFilter { $Method -eq 'Get' -and $Uri -match '/api/v2/groups\.json' } -Scope It + } + + It 'Does not allow end users to call' { + $context.User.role = 'end-user' + + { Get-Group -Context $context } | Should -Throw 'Authenticated user must have role' + } + + It 'Allows agents to call' { + $context.User.role = 'agent' + + { Get-Group -Context $context } | Should -Not -Throw + } + + It 'Allows admins to call' { + $context.User.role = 'admin' + + { Get-Group -Context $context } | Should -Not -Throw + } + } + + Context 'List Groups by user' { + It 'Matches the endpoint' { + if ($IsInteractive) { + throw 'Please run test in non-interactive mode' + } + + $context.User.role = 'admin' + + { Get-Group -Context $context -UserId 1 } | Should -Not -Throw + Assert-MockCalled Invoke-RestMethod -Exactly 1 -ParameterFilter { $Method -eq 'Get' -and $Uri -match '/api/v2/users/\d+/groups\.json' } -Scope It + } + + It 'Does not allow end users to call' { + $context.User.role = 'end-user' + + { Get-Group -Context $context -UserId 1 } | Should -Throw 'Authenticated user must have role' + } + + It 'Allows agents to call' { + $context.User.role = 'agent' + + { Get-Group -Context $context -UserId 1 } | Should -Not -Throw + } + + It 'Allows admins to call' { + $context.User.role = 'admin' + + { Get-Group -Context $context -UserId 1 } | Should -Not -Throw + } + } + + Context 'Show assignable groups' { + It 'Matches the endpoint' { + if ($IsInteractive) { + throw 'Please run test in non-interactive mode' + } + + $context.User.role = 'admin' + + { Get-Group -Context $context -Assignable } | Should -Not -Throw + Assert-MockCalled Invoke-RestMethod -Exactly 1 -ParameterFilter { $Method -eq 'Get' -and $Uri -match '/api/v2/groups/assignable.json' } -Scope It + } + + It 'Does not allow end users to call' { + $context.User.role = 'end-user' + + { Get-Group -Context $context -Assignable } | Should -Throw 'Authenticated user must have role' + } + + It 'Allows agents to call' { + $context.User.role = 'agent' + + { Get-Group -Context $context -Assignable } | Should -Not -Throw + } + + It 'Allows admins to call' { + $context.User.role = 'admin' + + { Get-Group -Context $context -Assignable } | Should -Not -Throw + } + } + + Context 'Show Group' { + It 'Matches the endpoint' { + if ($IsInteractive) { + throw 'Please run test in non-interactive mode' + } + + $context.User.role = 'admin' + + { Get-Group -Context $context -Id 1 } | Should -Not -Throw + Assert-MockCalled Invoke-RestMethod -Exactly 1 -ParameterFilter { $Method -eq 'Get' -and $Uri -match '/api/v2/groups/\d+\.json' } -Scope It + } + + It 'Does not allow end users to call' { + $context.User.role = 'end-user' + + { Get-Group -Context $context -Id 1 } | Should -Throw 'Authenticated user must have role' + } + + It 'Allows agents to call' { + $context.User.role = 'agent' + + { Get-Group -Context $context -Id 1 } | Should -Not -Throw + } + + It 'Allows admins to call' { + $context.User.role = 'admin' + + { Get-Group -Context $context -Id 1 } | Should -Not -Throw + } + } + + Context 'Create Group' { + It 'Matches the endpoint' { + if ($IsInteractive) { + throw 'Please run test in non-interactive mode' + } + + $context.User.role = 'admin' + + { New-Group -Context $context -Name 'New' -Confirm:$false } | Should -Not -Throw + Assert-MockCalled Invoke-RestMethod -Exactly 1 -ParameterFilter { $Method -eq 'Post' -and $Uri -match '/api/v2/groups\.json' } -Scope It + } + + It 'Does not allow end users to call' { + $context.User.role = 'end-user' + + { New-Group -Context $context -Name 'New' -Confirm:$false } | Should -Throw 'Authenticated user must have role' + } + + It 'Does not allow agents to call' { + $context.User.role = 'agent' + + { New-Group -Context $context -Name 'New' -Confirm:$false } | Should -Throw 'Authenticated user must have role' + } + + It 'Allows admins to call' { + $context.User.role = 'admin' + + { New-Group -Context $context -Name 'New' -Confirm:$false } | Should -Not -Throw + } + } + + Context 'Update Group' { + It 'Matches the endpoint' { + if ($IsInteractive) { + throw 'Please run test in non-interactive mode' + } + + $context.User.role = 'admin' + + { Update-Group -Context $context -Id 1 -Name 'Newer' -Confirm:$false } | Should -Not -Throw + Assert-MockCalled Invoke-RestMethod -Exactly 1 -ParameterFilter { $Method -eq 'Put' -and $Uri -match '/api/v2/groups/\d+\.json' } -Scope It + } + + It 'Does not allow end users to call' { + $context.User.role = 'end-user' + + { Update-Group -Context $context -Id 1 -Name 'Newer' -Confirm:$false } | Should -Throw 'Authenticated user must have role' + } + + It 'Does not allow agents to call' { + $context.User.role = 'agent' + + { Update-Group -Context $context -Id 1 -Name 'Newer' -Confirm:$false } | Should -Throw 'Authenticated user must have role' + } + + It 'Allows admins to call' { + $context.User.role = 'admin' + + { Update-Group -Context $context -Id 1 -Name 'Newer' -Confirm:$false } | Should -Not -Throw + } + } + + Context 'Delete Group' { + It 'Matches the endpoint' { + if ($IsInteractive) { + throw 'Please run test in non-interactive mode' + } + + $context.User.role = 'admin' + + { Remove-Group -Context $context -Id 1 -Confirm:$false } | Should -Not -Throw + Assert-MockCalled Invoke-RestMethod -Exactly 1 -ParameterFilter { $Method -eq 'Delete' -and $Uri -match '/api/v2/groups/\d+\.json' } -Scope It + } + + It 'Does not allow end users to call' { + $context.User.role = 'end-user' + + { Remove-Group -Context $context -Id 1 -Confirm:$false } | Should -Throw 'Authenticated user must have role' + } + + It 'Does not allow agents to call' { + $context.User.role = 'agent' + + { Remove-Group -Context $context -Id 1 -Confirm:$false } | Should -Throw 'Authenticated user must have role' + } + + It 'Allows admins to call' { + $context.User.role = 'admin' + + { Remove-Group -Context $context -Id 1 -Confirm:$false } | Should -Not -Throw + } + } + + } + +}