Skip to content

Commit 3100eeb

Browse files
richard-dennehyrichard-dennehy
committed
fetch only security group membership
1 parent 0ed032c commit 3100eeb

File tree

2 files changed

+23
-12
lines changed

2 files changed

+23
-12
lines changed

plugins/microsoft-graph-authz/src/main/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphAuthzRealm.java

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,8 @@
1414
import com.microsoft.graph.core.tasks.PageIterator;
1515
import com.microsoft.graph.models.DirectoryObject;
1616
import com.microsoft.graph.models.DirectoryObjectCollectionResponse;
17+
import com.microsoft.graph.models.Group;
18+
import com.microsoft.graph.models.GroupCollectionResponse;
1719
import com.microsoft.graph.serviceclient.GraphServiceClient;
1820
import com.microsoft.kiota.authentication.AzureIdentityAuthenticationProvider;
1921

@@ -196,14 +198,14 @@ private Tuple<String, String> sdkFetchUserProperties(GraphServiceClient client,
196198
private List<String> sdkFetchGroupMembership(GraphServiceClient client, String userId) throws ReflectiveOperationException {
197199
List<String> groups = new ArrayList<>();
198200

199-
var groupMembership = client.users().byUserId(userId).transitiveMemberOf().get(requestConfig -> {
201+
var groupMembership = client.users().byUserId(userId).transitiveMemberOf().graphGroup().get(requestConfig -> {
200202
requestConfig.queryParameters.select = new String[] { "id" };
201203
requestConfig.queryParameters.top = 999;
202204
});
203205

204-
var pageIterator = new PageIterator.Builder<DirectoryObject, DirectoryObjectCollectionResponse>().client(client)
206+
var pageIterator = new PageIterator.Builder<Group, GroupCollectionResponse>().client(client)
205207
.collectionPage(groupMembership)
206-
.collectionPageFactory(DirectoryObjectCollectionResponse::createFromDiscriminatorValue)
208+
.collectionPageFactory(GroupCollectionResponse::createFromDiscriminatorValue)
207209
.requestConfigurator(requestInfo -> {
208210
requestInfo.addQueryParameter("%24select", new String[] { "id" });
209211
requestInfo.addQueryParameter("%24top", "999");

plugins/microsoft-graph-authz/src/test/java/org/elasticsearch/xpack/security/authz/microsoft/MicrosoftGraphAuthzRealmTests.java

Lines changed: 18 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -9,13 +9,14 @@
99

1010
package org.elasticsearch.xpack.security.authz.microsoft;
1111

12-
import com.microsoft.graph.models.DirectoryObjectCollectionResponse;
1312
import com.microsoft.graph.models.Group;
13+
import com.microsoft.graph.models.GroupCollectionResponse;
1414
import com.microsoft.graph.models.odataerrors.MainError;
1515
import com.microsoft.graph.models.odataerrors.ODataError;
1616
import com.microsoft.graph.serviceclient.GraphServiceClient;
1717
import com.microsoft.graph.users.UsersRequestBuilder;
1818
import com.microsoft.graph.users.item.UserItemRequestBuilder;
19+
import com.microsoft.graph.users.item.transitivememberof.graphgroup.GraphGroupRequestBuilder;
1920
import com.microsoft.graph.users.item.transitivememberof.TransitiveMemberOfRequestBuilder;
2021
import com.microsoft.kiota.RequestAdapter;
2122

@@ -46,7 +47,9 @@
4647
import static org.hamcrest.Matchers.equalTo;
4748
import static org.mockito.ArgumentMatchers.any;
4849
import static org.mockito.ArgumentMatchers.eq;
49-
import static org.mockito.Mockito.*;
50+
import static org.mockito.Mockito.when;
51+
import static org.mockito.Mockito.mock;
52+
import static org.mockito.Mockito.doAnswer;
5053

5154
public class MicrosoftGraphAuthzRealmTests extends ESTestCase {
5255

@@ -96,13 +99,15 @@ public void testLookupUser() {
9699
when(userItemRequestBuilder.get(any())).thenReturn(msUser);
97100

98101
final var memberOfRequestBuilder = mock(TransitiveMemberOfRequestBuilder.class);
102+
final var graphGroupRequestBuilder = mock(GraphGroupRequestBuilder.class);
99103
final var group = new Group();
100104
group.setId(groupId);
101-
final var groupMembership = new DirectoryObjectCollectionResponse();
105+
final var groupMembership = new GroupCollectionResponse();
102106
groupMembership.setValue(List.of(group));
103107

104108
when(userItemRequestBuilder.transitiveMemberOf()).thenReturn(memberOfRequestBuilder);
105-
when(memberOfRequestBuilder.get(any())).thenReturn(groupMembership);
109+
when(memberOfRequestBuilder.graphGroup()).thenReturn(graphGroupRequestBuilder);
110+
when(graphGroupRequestBuilder.get(any())).thenReturn(groupMembership);
106111

107112
final var licenseState = MockLicenseState.createMock();
108113
when(licenseState.isAllowed(eq(MICROSOFT_GRAPH_FEATURE))).thenReturn(true);
@@ -176,14 +181,16 @@ public void testHandleGetGroupMembershipError() {
176181
when(userItemRequestBuilder.get(any())).thenReturn(msUser);
177182

178183
final var memberOfRequestBuilder = mock(TransitiveMemberOfRequestBuilder.class);
184+
final var graphGroupRequestBuilder = mock(GraphGroupRequestBuilder.class);
179185
final var graphError = new ODataError();
180186
final var error = new MainError();
181187
error.setCode("badRequest");
182188
error.setMessage("bad stuff happened");
183189
graphError.setError(error);
184190

185191
when(userItemRequestBuilder.transitiveMemberOf()).thenReturn(memberOfRequestBuilder);
186-
when(memberOfRequestBuilder.get(any())).thenThrow(graphError);
192+
when(memberOfRequestBuilder.graphGroup()).thenReturn(graphGroupRequestBuilder);
193+
when(graphGroupRequestBuilder.get(any())).thenThrow(graphError);
187194

188195
final var licenseState = MockLicenseState.createMock();
189196
when(licenseState.isAllowed(eq(MICROSOFT_GRAPH_FEATURE))).thenReturn(true);
@@ -222,25 +229,27 @@ public void testGroupMembershipPagination() {
222229
when(userItemRequestBuilder.get(any())).thenReturn(msUser);
223230

224231
final var memberOfRequestBuilder = mock(TransitiveMemberOfRequestBuilder.class);
232+
final var graphGroupRequestBuilder = mock(GraphGroupRequestBuilder.class);
225233
final var group1 = new Group();
226234
group1.setId(groupId);
227-
final var groupMembership1 = new DirectoryObjectCollectionResponse();
235+
final var groupMembership1 = new GroupCollectionResponse();
228236
groupMembership1.setValue(List.of(group1));
229237
groupMembership1.setOdataNextLink("http://localhost:12345/page2");
230238

231239
final var group2 = new Group();
232240
group2.setId(groupId2);
233-
final var groupMembership2 = new DirectoryObjectCollectionResponse();
241+
final var groupMembership2 = new GroupCollectionResponse();
234242
groupMembership2.setValue(List.of(group2));
235243
groupMembership2.setOdataNextLink("http://localhost:12345/page3");
236244

237245
final var group3 = new Group();
238246
group3.setId(groupId3);
239-
final var groupMembership3 = new DirectoryObjectCollectionResponse();
247+
final var groupMembership3 = new GroupCollectionResponse();
240248
groupMembership3.setValue(List.of(group3));
241249

242250
when(userItemRequestBuilder.transitiveMemberOf()).thenReturn(memberOfRequestBuilder);
243-
when(memberOfRequestBuilder.get(any())).thenReturn(groupMembership1);
251+
when(memberOfRequestBuilder.graphGroup()).thenReturn(graphGroupRequestBuilder);
252+
when(graphGroupRequestBuilder.get(any())).thenReturn(groupMembership1);
244253
when(requestAdapter.send(any(), any(), any())).thenReturn(groupMembership2, groupMembership3);
245254

246255
final var licenseState = MockLicenseState.createMock();

0 commit comments

Comments
 (0)