[backend] Test for user admin orga

(#8011)
OpenCTI-Platform · Aug 15, 2024 · 5e46ecd · 5e46ecd
1 parent 68b3960
commit 5e46ecd
Show file tree

Hide file tree

Showing 3 changed files with 229 additions and 6 deletions.
diff --git a/opencti-platform/opencti-graphql/src/modules/organization/organization-domain.ts b/opencti-platform/opencti-graphql/src/modules/organization/organization-domain.ts
@@ -47,14 +47,17 @@ export const editAuthorizedAuthorities = async (context: AuthContext, user: Auth
 export const organizationAdminAdd = async (context: AuthContext, user: AuthUser, organizationId: string, memberId: string) => {
   // Get Orga and members
   const organization = await findById(context, user, organizationId);
-  const members: BasicStoreEntity[] = await listAllFromEntitiesThroughRelations(context, user, organizationId, RELATION_PARTICIPATE_TO, ENTITY_TYPE_USER);
+  if (!organization) {
+    throw FunctionalError('Organization not found');
+  }
+  const members: BasicStoreEntity[] = await listAllFromEntitiesThroughRelations(context, user, organization.id, RELATION_PARTICIPATE_TO, ENTITY_TYPE_USER);
   const updatedUser = members.find(({ id }) => id === memberId);
   // Check if user is part of Orga. If not, throw exception
   if (!updatedUser) {
-    throw FunctionalError('User is not part of the organization');
+    throw FunctionalError('User is not part of the organization', { members, memberId });
   }
   // Add user to organization admins list
-  const updated = await editAuthorizedAuthorities(context, user, organizationId, [...(organization.authorized_authorities ?? []), memberId]);
+  const updated = await editAuthorizedAuthorities(context, user, organization.id, [...(organization.authorized_authorities ?? []), memberId]);
   await publishUserAction({
     user,
     event_type: 'mutation',
@@ -70,7 +73,10 @@ export const organizationAdminAdd = async (context: AuthContext, user: AuthUser,
 export const organizationAdminRemove = async (context: AuthContext, user: AuthUser, organizationId: string, memberId: string) => {
   // Get Orga and members
   const organization = await findById(context, user, organizationId);
-  const members: BasicStoreEntity[] = await listAllFromEntitiesThroughRelations(context, user, organizationId, RELATION_PARTICIPATE_TO, ENTITY_TYPE_USER);
+  if (!organization) {
+    throw FunctionalError('Organization not found');
+  }
+  const members: BasicStoreEntity[] = await listAllFromEntitiesThroughRelations(context, user, organization.id, RELATION_PARTICIPATE_TO, ENTITY_TYPE_USER);
   const updatedUser = members.find(({ id }) => id === memberId);
   // Check if user is part of Orga and is orga_admin. If not, throw exception
   if (!updatedUser) {

diff --git a/opencti-platform/opencti-graphql/tests/02-integration/02-resolvers/user-test.js b/opencti-platform/opencti-graphql/tests/02-integration/02-resolvers/user-test.js
@@ -3,8 +3,23 @@ import { afterAll, beforeAll, describe, expect, it } from 'vitest';
 import { elLoadById } from '../../../src/database/engine';
 import { generateStandardId } from '../../../src/schema/identifier';
 import { ENTITY_TYPE_CAPABILITY, ENTITY_TYPE_GROUP, ENTITY_TYPE_USER } from '../../../src/schema/internalObject';
-import { ADMIN_USER, adminQuery, editorQuery, queryAsAdmin, testContext, TESTING_GROUPS, TESTING_USERS } from '../../utils/testQuery';
+import {
+  ADMIN_USER,
+  adminQuery,
+  AMBER_GROUP,
+  editorQuery,
+  getGroupIdByName,
+  getOrganizationIdByName,
+  getUserIdByEmail,
+  queryAsAdmin,
+  TEST_ORGANIZATION,
+  testContext,
+  TESTING_GROUPS,
+  TESTING_USERS,
+  USER_EDITOR
+} from '../../utils/testQuery';
 import { ENTITY_TYPE_IDENTITY_ORGANIZATION } from '../../../src/modules/organization/organization-types';
+import { VIRTUAL_ORGANIZATION_ADMIN } from '../../../src/utils/access';
 
 const LIST_QUERY = gql`
   query users(
@@ -684,3 +699,158 @@ describe('User has no capability query behavior', () => {
     });
   });
 });
+
+describe('User has no settings capability and is organization admin query behavior', () => {
+  let userInternalId;
+  let userEditorId;
+  let testOrganizationId;
+  afterAll(async () => {
+    it('should remove the capability to administrate the Organization', async () => {
+      const ORGA_ADMIN_DELETE_QUERY = gql`
+        mutation OrganizationAdminRemove($id: ID!, $memberId: String!) {
+          organizationAdminRemove(id: $id, memberId: $memberId) {
+            id
+          }
+        }
+      `;
+      const queryResult = await queryAsAdmin({
+        query: ORGA_ADMIN_DELETE_QUERY,
+        variables: {
+          id: testOrganizationId,
+          memberId: userEditorId,
+        },
+      });
+      expect(queryResult).not.toBeNull();
+      expect(queryResult.data.organizationAdminRemove).not.toBeNull();
+      expect(queryResult.data.organizationAdminRemove.id).toEqual(testOrganizationId);
+
+      // Check that USER_EDITOR is not any more Organization administrator
+      const editorUserQueryResult = await queryAsAdmin({ query: READ_QUERY, variables: { id: userEditorId } });
+      expect(editorUserQueryResult).not.toBeNull();
+      expect(editorUserQueryResult.data.user).not.toBeNull();
+      expect(editorUserQueryResult.data.user.length).toEqual();
+      expect(editorUserQueryResult.data.user.capabilities).not.includes(VIRTUAL_ORGANIZATION_ADMIN);
+    });
+    it('should remove granted_groups to TEST_ORGANIZATION', async () => {
+      const UPDATE_QUERY = gql`
+        mutation OrganizationEdit($id: ID!, $input: [EditInput]!) {
+          organizationFieldPatch(id: $id, input: $input) {
+            id
+            name
+            grantable_groups {
+              id
+            }
+          }
+        }
+      `;
+      const queryResult = await queryAsAdmin({
+        query: UPDATE_QUERY,
+        variables: { id: testOrganizationId, input: { key: 'grantable_groups', value: [] } },
+      });
+      expect(queryResult.data.organizationFieldPatch.grantable_groups.length).toEqual(0);
+    });
+  });
+  it('should has the capability to administrate the Organization', async () => {
+    const ORGA_ADMIN_ADD_QUERY = gql`
+      mutation OrganizationAdminAdd($id: ID!, $memberId: String!) {
+        organizationAdminAdd(id: $id, memberId: $memberId) {
+          id
+          standard_id
+        }
+      }
+    `;
+    userEditorId = await getUserIdByEmail(USER_EDITOR.email); // USER_EDITOR is perfect because she has no settings capabilities and she is part of TEST_ORGANIZATION organization
+    const queryResult = await queryAsAdmin({
+      query: ORGA_ADMIN_ADD_QUERY,
+      variables: {
+        id: TEST_ORGANIZATION.id,
+        memberId: userEditorId,
+      },
+    });
+    expect(queryResult).not.toBeNull();
+    expect(queryResult.data.organizationAdminAdd).not.toBeNull();
+    expect(queryResult.data.organizationAdminAdd.standard_id).toEqual(TEST_ORGANIZATION.id);
+
+    // Check that USER_EDITOR is Organization administrator
+    const editorUserQueryResult = await queryAsAdmin({ query: READ_QUERY, variables: { id: userEditorId } });
+    expect(editorUserQueryResult).not.toBeNull();
+    expect(editorUserQueryResult.data.user).not.toBeNull();
+    expect(editorUserQueryResult.data.user.capabilities.length).toEqual(5);
+    const { capabilities } = editorUserQueryResult.data.user;
+    expect(capabilities.some((capa) => capa.name === VIRTUAL_ORGANIZATION_ADMIN)).toEqual(true);
+  });
+  it('should user created', async () => {
+    // Create the user
+    testOrganizationId = await getOrganizationIdByName(TEST_ORGANIZATION.name);
+    const amberGroupId = await getGroupIdByName(AMBER_GROUP.name);
+    const USER_TO_CREATE = {
+      input: {
+        name: 'User',
+        description: 'User description',
+        password: 'user',
+        user_email: 'user@mail.com',
+        firstname: 'User',
+        lastname: 'OpenCTI',
+        objectOrganization: [testOrganizationId],
+        groups: [amberGroupId],
+      },
+    };
+
+    // Need to add granted_groups to TEST_ORGANIZATION because of line 533 in domain/user.js
+    const UPDATE_QUERY = gql`
+      mutation OrganizationEdit($id: ID!, $input: [EditInput]!) {
+        organizationFieldPatch(id: $id, input: $input) {
+          id
+          name
+          grantable_groups {
+            id
+          }
+        }
+      }
+    `;
+    const queryResult = await queryAsAdmin({
+      query: UPDATE_QUERY,
+      variables: { id: testOrganizationId, input: { key: 'grantable_groups', value: [amberGroupId] } },
+    });
+    expect(queryResult.data.organizationFieldPatch.grantable_groups.length).toEqual(1);
+    expect(queryResult.data.organizationFieldPatch.grantable_groups[0]).toEqual({ id: amberGroupId });
+
+    // Create User
+    const user = await editorQuery({
+      query: CREATE_QUERY,
+      variables: USER_TO_CREATE,
+    });
+    expect(user).not.toBeNull();
+    expect(user.data.userAdd).not.toBeNull();
+    userInternalId = user.data.userAdd.id;
+
+    expect(user.data.userAdd.name).toEqual('User');
+  });
+  it('should update user from its own organization', async () => {
+    const UPDATE_QUERY = gql`
+      mutation UserEdit($id: ID!, $input: [EditInput]!) {
+        userEdit(id: $id) {
+          fieldPatch(input: $input) {
+            account_status
+          }
+        }
+      }
+    `;
+    const queryResult = await editorQuery({
+      query: UPDATE_QUERY,
+      variables: { id: userInternalId, input: { key: 'account_status', value: ['Inactive'] } },
+    });
+    expect(queryResult.data.userEdit.fieldPatch.account_status).toEqual('Inactive');
+  });
+  it('should user deleted', async () => {
+    // Delete user
+    await editorQuery({
+      query: DELETE_QUERY,
+      variables: { id: userInternalId },
+    });
+    // Verify is no longer found
+    const queryResult = await adminQuery({ query: READ_QUERY, variables: { id: userInternalId } });
+    expect(queryResult).not.toBeNull();
+    expect(queryResult.data.user).toBeNull();
+  });
+});
diff --git a/opencti-platform/opencti-graphql/tests/utils/testQuery.ts b/opencti-platform/opencti-graphql/tests/utils/testQuery.ts
@@ -470,7 +470,7 @@ const ORGANIZATION_ASSIGN_MUTATION = `
     userEdit(id: $userId) {
       relationAdd(input: {
         toId: $toId
-        relationship_type: "member-of"
+        relationship_type: "participate-to"
       }) {
         id
       }
@@ -605,6 +605,53 @@ export const getUserIdByEmail = async (email: string) => {
   }
   return data.users.edges[0].node.id;
 };
+
+// endregion
+
+// Search for test organizations
+const ORGANIZATION_SEARCH_QUERY = `
+  query OrganizationTestSearchQuery($search: String) {
+    organizations(search: $search) {
+      edges {
+        node {
+          name
+          id
+        }
+      }
+    }
+  }
+`;
+export const getOrganizationIdByName = async (name: string) => {
+  const { data } = await internalAdminQuery(ORGANIZATION_SEARCH_QUERY, { search: `"${name}"` });
+  if (!data?.organizations.edges.length) {
+    return null;
+  }
+  return data.organizations.edges[0].node.id;
+};
+
+// endregion
+
+// Search for test group
+const GROUP_SEARCH_QUERY = `
+  query GroupTestSearchQuery($search: String) {
+    groups(search: $search) {
+      edges {
+        node {
+          name
+          id
+        }
+      }
+    }
+  }
+`;
+export const getGroupIdByName = async (name: string) => {
+  const { data } = await internalAdminQuery(GROUP_SEARCH_QUERY, { search: `"${name}"` });
+  if (!data?.groups.edges.length) {
+    return null;
+  }
+  return data.groups.edges[0].node.id;
+};
+
 // endregion
 
 type markingType = { standard_id: string; internal_id: string };