|
| 1 | +// MIT License |
| 2 | +// |
| 3 | +// Copyright (c) Microsoft Corporation. |
| 4 | +// |
| 5 | +// Permission is hereby granted, free of charge, to any person obtaining a copy |
| 6 | +// of this software and associated documentation files (the "Software"), to deal |
| 7 | +// in the Software without restriction, including without limitation the rights |
| 8 | +// to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
| 9 | +// copies of the Software, and to permit persons to whom the Software is |
| 10 | +// furnished to do so, subject to the following conditions: |
| 11 | +// |
| 12 | +// The above copyright notice and this permission notice shall be included in all |
| 13 | +// copies or substantial portions of the Software. |
| 14 | +// |
| 15 | +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
| 16 | +// IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
| 17 | +// FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
| 18 | +// AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
| 19 | +// LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
| 20 | +// OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE |
| 21 | +// SOFTWARE |
| 22 | + |
| 23 | +package e2etests |
| 24 | + |
| 25 | +import ( |
| 26 | + "os" |
| 27 | + "path" |
| 28 | + "runtime" |
| 29 | + "strings" |
| 30 | + "testing" |
| 31 | + |
| 32 | + "github.com/Azure/mpf/pkg/infrastructure/authorizationCheckers/terraform" |
| 33 | + rgm "github.com/Azure/mpf/pkg/infrastructure/resourceGroupManager" |
| 34 | + spram "github.com/Azure/mpf/pkg/infrastructure/spRoleAssignmentManager" |
| 35 | + "github.com/Azure/mpf/pkg/usecase" |
| 36 | + log "github.com/sirupsen/logrus" |
| 37 | + "github.com/stretchr/testify/assert" |
| 38 | +) |
| 39 | + |
| 40 | +// TestTerraformAuthorizationRequestDenied exercises the Authorization_RequestDenied |
| 41 | +// path end-to-end. The sample creates an azuread_group, which requires Microsoft |
| 42 | +// Graph application permissions (admin consent / Global Administrator) that MPF |
| 43 | +// cannot auto-discover. MPF should fail with a clear guidance error instead of |
| 44 | +// silently looping or producing a misleading parse error. |
| 45 | +func TestTerraformAuthorizationRequestDenied(t *testing.T) { |
| 46 | + mpfArgs, err := getTestingMPFArgs() |
| 47 | + if err != nil { |
| 48 | + t.Skip("required environment variables not set, skipping end to end test") |
| 49 | + } |
| 50 | + mpfArgs.MPFMode = "terraform" |
| 51 | + |
| 52 | + if os.Getenv("MPF_TFPATH") == "" { |
| 53 | + t.Skip("Terraform Path MPF_TFPATH not set, skipping end to end test") |
| 54 | + } |
| 55 | + tfpath := os.Getenv("MPF_TFPATH") |
| 56 | + |
| 57 | + _, filename, _, _ := runtime.Caller(0) |
| 58 | + curDir := path.Dir(filename) |
| 59 | + log.Infof("curDir: %s", curDir) |
| 60 | + wrkDir := path.Join(curDir, "../samples/terraform/authorization-request-denied") |
| 61 | + log.Infof("wrkDir: %s", wrkDir) |
| 62 | + |
| 63 | + // Clean up Terraform artifacts before and after test |
| 64 | + cleanTerraformWorkingDir(t, wrkDir) |
| 65 | + t.Cleanup(func() { cleanTerraformWorkingDir(t, wrkDir) }) |
| 66 | + |
| 67 | + ctx := t.Context() |
| 68 | + |
| 69 | + mpfConfig := getMPFConfig(mpfArgs) |
| 70 | + |
| 71 | + var rgManager usecase.ResourceGroupManager = rgm.NewResourceGroupManager(mpfArgs.SubscriptionID) |
| 72 | + var spRoleAssignmentManager usecase.ServicePrincipalRolemAssignmentManager = spram.NewSPRoleAssignmentManager(mpfArgs.SubscriptionID) |
| 73 | + |
| 74 | + initialPermissionsToAdd := []string{"Microsoft.Resources/deployments/read", "Microsoft.Resources/deployments/write"} |
| 75 | + permissionsToAddToResult := []string{"Microsoft.Resources/deployments/read", "Microsoft.Resources/deployments/write"} |
| 76 | + deploymentAuthorizationCheckerCleaner := terraform.NewTerraformAuthorizationChecker(wrkDir, tfpath, "", true, "") |
| 77 | + mpfService := usecase.NewMPFService(ctx, rgManager, spRoleAssignmentManager, deploymentAuthorizationCheckerCleaner, mpfConfig, initialPermissionsToAdd, permissionsToAddToResult, false, true, false) |
| 78 | + |
| 79 | + _, err = mpfService.GetMinimumPermissionsRequired() |
| 80 | + assert.Error(t, err) |
| 81 | + if err != nil { |
| 82 | + assert.True(t, |
| 83 | + strings.Contains(err.Error(), "Authorization_RequestDenied"), |
| 84 | + "expected error to mention Authorization_RequestDenied, got: %v", err) |
| 85 | + } |
| 86 | +} |
0 commit comments