singleloginsystem/tests/Feature/MicrosoftGraphFederationTest.php
= 215d3cad7f Refactor: Enhance Microsoft Graph Federation error handling and logging
- Improved logging for `MicrosoftGraphService` methods to provide detailed insights into federation configuration processes.
- Refactored error handling for domain federation configuration, including specific checks for authorization and resource errors.
- Streamlined federation flow logic and made it more resilient to exceptions.
- Updated UI components to handle configuration states more effectively and added button functionality for failed connections.
- Expanded test coverage for Microsoft Graph Federation scenarios, including authorization failures and domain validation.
- masked the sensitive fields
2026-06-02 12:25:57 +00:00

255 lines
10 KiB
PHP

<?php
declare(strict_types=1);
use App\Enums\ConnectionStatusEnum;
use App\Models\User;
use Illuminate\Support\Facades\{Config, File, Http};
use Livewire\Livewire;
beforeEach(function (): void {
$this->seed(Database\Seeders\DatabaseSeeder::class);
$this->admin = User::where('email', 'admin@example.com')->firstOrFail();
// Ensure mock SAML certificate directory and file exists for tests
$directory = storage_path('app/saml');
if (! File::exists($directory)) {
File::makeDirectory($directory, 0755, true);
}
if (! File::exists("{$directory}/idp.crt")) {
File::put("{$directory}/idp.crt", "-----BEGIN CERTIFICATE-----\nMIIE3jCCAsagAwIBAgIQQcyDaZz3MI\n-----END CERTIFICATE-----");
}
});
test('guest is redirected to login when visiting microsoft federation page', function (): void {
$response = $this->get(route('apps.microsoft-federation'));
$response->assertRedirect(route('login'));
});
test('administrator can render microsoft federation page', function (): void {
$response = $this->actingAs($this->admin)->get(route('apps.microsoft-federation'));
$response->assertStatus(200);
});
test('renders warning banner if credentials are not configured in environment', function (): void {
Config::set('services.microsoft_graph', [
'tenant_id' => '',
'client_id' => '',
'client_secret' => '',
'domain_name' => '',
]);
Livewire::actingAs($this->admin)
->test('pages::connecton-providers.microsoft-federation')
->assertSet('credentialsLoaded', false)
->assertSee('Environment Configuration Required');
});
test('loads credentials and check status successfully if configured', function (): void {
Config::set('services.microsoft_graph', [
'tenant_id' => 'mock-tenant-id',
'client_id' => 'mock-client-id',
'client_secret' => 'mock-client-secret',
'domain_name' => 'mockdomain.com',
'display_name' => 'Company SSO',
'mfa_behavior' => 'acceptIfMfaDoneByFederatedIdp',
]);
// Fake Microsoft Graph API responses
Http::fake([
'https://login.microsoftonline.com/mock-tenant-id/oauth2/v2.0/token' => Http::response([
'access_token' => 'mock-access-token',
'token_type' => 'Bearer',
'expires_in' => 3600,
], 200),
'https://graph.microsoft.com/v1.0/domains/mockdomain.com/federationConfiguration' => Http::response([
'value' => [
[
'id' => 'mock-federation-id',
'displayName' => 'Company SSO',
'issuerUri' => 'http://localhost/saml/metadata',
'preferredAuthenticationProtocol' => 'saml',
'federatedIdpMfaBehavior' => 'acceptIfMfaDoneByFederatedIdp',
'signingCertificate' => 'MIIE3jCCAsagAwIBAgIQQcyDaZz3MI',
],
],
], 200),
]);
Livewire::actingAs($this->admin)
->test('pages::connecton-providers.microsoft-federation')
->assertSet('credentialsLoaded', true)
->assertSet('connectionStatus', ConnectionStatusEnum::Connected)
->assertSet('federationId', 'mock-federation-id')
->assertSee('Active Federation State');
});
test('can connect/federate domain successfully', function (): void {
Config::set('services.microsoft_graph', [
'tenant_id' => 'mock-tenant-id',
'client_id' => 'mock-client-id',
'client_secret' => 'mock-client-secret',
'domain_name' => 'mockdomain.com',
'display_name' => 'Company SSO',
'mfa_behavior' => 'acceptIfMfaDoneByFederatedIdp',
]);
Http::fake([
'https://login.microsoftonline.com/mock-tenant-id/oauth2/v2.0/token' => Http::response([
'access_token' => 'mock-access-token',
], 200),
'https://graph.microsoft.com/v1.0/domains/mockdomain.com/federationConfiguration' => function ($request) {
if ('GET' === $request->method()) {
return Http::response(['value' => []], 200);
}
if ('POST' === $request->method()) {
return Http::response([
'id' => 'new-federation-id',
'displayName' => 'Company SSO',
'issuerUri' => 'http://localhost/saml/metadata',
'preferredAuthenticationProtocol' => 'saml',
'federatedIdpMfaBehavior' => 'acceptIfMfaDoneByFederatedIdp',
'signingCertificate' => 'MIIE3jCCAsagAwIBAgIQQcyDaZz3MI',
], 200);
}
return Http::response(null, 404);
},
]);
Livewire::actingAs($this->admin)
->test('pages::connecton-providers.microsoft-federation')
->set('connectionStatus', ConnectionStatusEnum::Disconnected)
->call('connect')
->assertSet('connectionStatus', ConnectionStatusEnum::Connected)
->assertSet('federationId', 'new-federation-id');
});
test('can disconnect federation successfully', function (): void {
Config::set('services.microsoft_graph', [
'tenant_id' => 'mock-tenant-id',
'client_id' => 'mock-client-id',
'client_secret' => 'mock-client-secret',
'domain_name' => 'mockdomain.com',
'display_name' => 'Company SSO',
'mfa_behavior' => 'acceptIfMfaDoneByFederatedIdp',
]);
Http::fake([
'https://login.microsoftonline.com/mock-tenant-id/oauth2/v2.0/token' => Http::response([
'access_token' => 'mock-access-token',
], 200),
'https://graph.microsoft.com/v1.0/domains/mockdomain.com/federationConfiguration/mock-federation-id' => Http::response(null, 204),
]);
Livewire::actingAs($this->admin)
->test('pages::connecton-providers.microsoft-federation')
->set('connectionStatus', ConnectionStatusEnum::Connected)
->set('federationId', 'mock-federation-id')
->call('disconnect')
->assertSet('connectionStatus', ConnectionStatusEnum::Disconnected)
->assertSet('federationId', null);
});
test('renders error state if status check fails due to authorization request denied', function (): void {
Config::set('services.microsoft_graph', [
'tenant_id' => 'mock-tenant-id',
'client_id' => 'mock-client-id',
'client_secret' => 'mock-client-secret',
'domain_name' => 'mockdomain.com',
'display_name' => 'Company SSO',
'mfa_behavior' => 'acceptIfMfaDoneByFederatedIdp',
]);
Http::fake([
'https://login.microsoftonline.com/mock-tenant-id/oauth2/v2.0/token' => Http::response([
'access_token' => 'mock-access-token',
], 200),
'https://graph.microsoft.com/v1.0/domains/mockdomain.com/federationConfiguration' => Http::response([
'error' => [
'code' => 'Authorization_RequestDenied',
'message' => 'Insufficient privileges to complete the operation.',
'innerError' => [
'date' => '2026-06-02T09:06:37',
'request-id' => '7f6c85c5-4a55-47f8-91dd-f62e264583e7',
],
],
], 403),
]);
Livewire::actingAs($this->admin)
->test('pages::connecton-providers.microsoft-federation')
->assertSet('connectionStatus', ConnectionStatusEnum::Error)
->assertSee('Insufficient privileges to complete the operation.');
});
test('renders managed state if status check returns Request_ResourceNotFound 404', function (): void {
Config::set('services.microsoft_graph', [
'tenant_id' => 'mock-tenant-id',
'client_id' => 'mock-client-id',
'client_secret' => 'mock-client-secret',
'domain_name' => 'mockdomain.com',
'display_name' => 'Company SSO',
'mfa_behavior' => 'acceptIfMfaDoneByFederatedIdp',
]);
Http::fake([
'https://login.microsoftonline.com/mock-tenant-id/oauth2/v2.0/token' => Http::response([
'access_token' => 'mock-access-token',
], 200),
'https://graph.microsoft.com/v1.0/domains/mockdomain.com/federationConfiguration' => Http::response([
'error' => [
'code' => 'Request_ResourceNotFound',
'message' => "Resource 'federationConfiguration' does not exist or one of its queried reference-property objects are not present.",
'innerError' => [
'date' => '2026-06-02T09:40:58',
'request-id' => 'e7f31a03-80bf-4b42-b1ca-6af8c156fed7',
'client-request-id' => 'e7f31a03-80bf-4b42-b1ca-6af8c156fed7',
],
],
], 404),
]);
Livewire::actingAs($this->admin)
->test('pages::connecton-providers.microsoft-federation')
->assertSet('connectionStatus', ConnectionStatusEnum::Disconnected)
->assertSet('federationId', null)
->assertSee('No Active Federation')
->assertSee('Managed');
});
test('renders error state if status check fails due to domain not found in Entra ID', function (): void {
Config::set('services.microsoft_graph', [
'tenant_id' => 'mock-tenant-id',
'client_id' => 'mock-client-id',
'client_secret' => 'mock-client-secret',
'domain_name' => 'mockdomain.com',
'display_name' => 'Company SSO',
'mfa_behavior' => 'acceptIfMfaDoneByFederatedIdp',
]);
Http::fake([
'https://login.microsoftonline.com/mock-tenant-id/oauth2/v2.0/token' => Http::response([
'access_token' => 'mock-access-token',
], 200),
'https://graph.microsoft.com/v1.0/domains/mockdomain.com/federationConfiguration' => Http::response([
'error' => [
'code' => 'Request_ResourceNotFound',
'message' => "Resource '{0}' does not exist or one of its queried reference-property objects are not present.",
'innerError' => [
'date' => '2026-06-02T09:50:46',
'request-id' => '08b35000-608d-4ccd-8caf-8ea42fd13812',
'client-request-id' => '08b35000-608d-4ccd-8caf-8ea42fd13812',
],
],
], 404),
]);
Livewire::actingAs($this->admin)
->test('pages::connecton-providers.microsoft-federation')
->assertSet('connectionStatus', ConnectionStatusEnum::Error)
->assertSee("Resource '{0}' does not exist");
});