@@ -2,6 +2,7 @@ package microsoft
22
33import (
44 "encoding/json"
5+ "errors"
56 "fmt"
67 "net/http"
78 "net/http/httptest"
@@ -119,6 +120,39 @@ func TestUserGroupsFromGraphAPI(t *testing.T) {
119120 expectEquals (t , identity .Groups , []string {"a" , "b" })
120121}
121122
123+ func TestUserNotInRequiredGroupFromGraphAPI (t * testing.T ) {
124+ s := newTestServer (map [string ]testResponse {
125+ "/v1.0/me?$select=id,displayName,userPrincipalName" : {
126+ data : user {ID : "user-id-123" , Name : "Jane Doe" , Email : "jane.doe@example.com" },
127+ },
128+ // The user is a member of groups "c" and "d", but the connector only
129+ // allows group "a" — so the user should be denied.
130+ "/v1.0/me/getMemberGroups" : {data : map [string ]interface {}{
131+ "value" : []string {"c" , "d" },
132+ }},
133+ "/" + tenant + "/oauth2/v2.0/token" : dummyToken ,
134+ })
135+ defer s .Close ()
136+
137+ req , _ := http .NewRequest ("GET" , s .URL , nil )
138+
139+ c := microsoftConnector {
140+ apiURL : s .URL ,
141+ graphURL : s .URL ,
142+ tenant : tenant ,
143+ groups : []string {"a" },
144+ }
145+ _ , err := c .HandleCallback (connector.Scopes {Groups : true }, req )
146+ if err == nil {
147+ t .Fatal ("expected error when user is not in any required group, got nil" )
148+ }
149+
150+ var groupsErr * connector.UserNotInRequiredGroupsError
151+ if ! errors .As (err , & groupsErr ) {
152+ t .Errorf ("expected *connector.UserNotInRequiredGroupsError, got %T: %v" , err , err )
153+ }
154+ }
155+
122156func newTestServer (responses map [string ]testResponse ) * httptest.Server {
123157 s := httptest .NewServer (http .HandlerFunc (func (w http.ResponseWriter , r * http.Request ) {
124158 response , found := responses [r .RequestURI ]
0 commit comments