update oidc tests to match the latest requirements

Author: XiNiHa

integration-tests/testkit/flow.ts

@@ -158,6 +158,17 @@ export function getOrganization(organizationSlug: string, authToken: string) {
             reportingOperations
             enablingUsageBasedBreakingChanges
           }
+          me {
+            id
+            user {
+              id
+            }
+            role {
+              id
+              name
+              permissions
+            }
+          }
         }
       }
     `),

integration-tests/testkit/seed.ts

@@ -889,49 +889,67 @@ export function initSeed() {
                 },
               };
             },
-            async inviteAndJoinMember(
-              inviteToken: string = ownerToken,
-              memberRoleId: string | undefined = undefined,
-              resources: GraphQLSchema.ResourceAssignmentInput | undefined = undefined,
-            ) {
+            async inviteAndJoinMember(options?: {
+              inviteToken?: string;
+              memberRoleId?: string | undefined;
+              oidcIntegrationId?: string | undefined;
+              resources?: GraphQLSchema.ResourceAssignmentInput | undefined;
+            }) {
+              const { inviteToken, memberRoleId, oidcIntegrationId, resources } = Object.assign(
+                options ?? {},
+                {
+                  inviteToken: ownerToken,
+                },
+              );
               const memberEmail = userEmail(generateUnique());
-              const memberToken = await authenticate(memberEmail).then(r => r.access_token);
+              const memberToken = await authenticate(memberEmail, oidcIntegrationId).then(
+                r => r.access_token,
+              );
 
-              const invitationResult = await inviteToOrganization(
-                {
-                  organization: {
-                    bySelector: {
-                      organizationSlug: organization.slug,
+              if (!oidcIntegrationId) {
+                const invitationResult = await inviteToOrganization(
+                  {
+                    organization: {
+                      bySelector: {
+                        organizationSlug: organization.slug,
+                      },
                     },
+                    email: memberEmail,
+                    memberRoleId,
+                    resources,
                   },
-                  email: memberEmail,
-                  memberRoleId,
-                  resources,
-                },
-                inviteToken,
-              ).then(r => r.expectNoGraphQLErrors());
-
-              const code =
-                invitationResult.inviteToOrganizationByEmail.ok?.createdOrganizationInvitation.code;
+                  inviteToken,
+                ).then(r => r.expectNoGraphQLErrors());
+                const code =
+                  invitationResult.inviteToOrganizationByEmail.ok?.createdOrganizationInvitation
+                    .code;
+
+                if (!code) {
+                  throw new Error(
+                    `Could not create invitation for ${memberEmail} to join org ${organization.slug}`,
+                  );
+                }
 
-              if (!code) {
-                throw new Error(
-                  `Could not create invitation for ${memberEmail} to join org ${organization.slug}`,
+                const joinResult = await joinOrganization(code, memberToken).then(r =>
+                  r.expectNoGraphQLErrors(),
                 );
+
+                if (joinResult.joinOrganization.__typename !== 'OrganizationPayload') {
+                  throw new Error(
+                    `Member ${memberEmail} could not join organization ${organization.slug}`,
+                  );
+                }
               }
 
-              const joinResult = await joinOrganization(code, memberToken).then(r =>
+              const orgAfterJoin = await getOrganization(organization.slug, memberToken).then(r =>
                 r.expectNoGraphQLErrors(),
               );
+              const member = orgAfterJoin.organization?.me;
 
-              if (joinResult.joinOrganization.__typename !== 'OrganizationPayload') {
-                throw new Error(
-                  `Member ${memberEmail} could not join organization ${organization.slug}`,
-                );
+              if (!member) {
+              	throw new Error(`Could not retrieve membership for ${memberEmail} in ${organization.slug} after joining`)
               }
 
-              const member = joinResult.joinOrganization.organization.me;
-
               return {
                 member,
                 memberEmail,

integration-tests/tests/api/oidc-integrations/crud.spec.ts

@@ -540,78 +540,6 @@ describe('delete', () => {
         ]),
       );
     });
-
-    test.concurrent(
-      'success: upon integration deletion oidc members are also deleted',
-      async ({ expect }) => {
-        const seed = initSeed();
-        const { ownerToken, createOrg } = await seed.createOwner();
-        const { organization } = await createOrg();
-
-        const createResult = await execute({
-          document: CreateOIDCIntegrationMutation,
-          variables: {
-            input: {
-              organizationId: organization.id,
-              clientId: 'foo',
-              clientSecret: 'foofoofoofoo',
-              tokenEndpoint: 'http://localhost:8888/oauth/token',
-              userinfoEndpoint: 'http://localhost:8888/oauth/userinfo',
-              authorizationEndpoint: 'http://localhost:8888/oauth/authorize',
-            },
-          },
-          authToken: ownerToken,
-        }).then(r => r.expectNoGraphQLErrors());
-
-        const oidcIntegrationId = createResult.createOIDCIntegration.ok!.createdOIDCIntegration.id;
-
-        const MeQuery = graphql(`
-          query Me {
-            me {
-              id
-            }
-          }
-        `);
-
-        const { access_token: memberAccessToken } = await seed.authenticate(
-          seed.generateEmail(),
-          oidcIntegrationId,
-        );
-        const meResult = await execute({
-          document: MeQuery,
-          authToken: memberAccessToken,
-        }).then(r => r.expectNoGraphQLErrors());
-
-        expect(meResult).toEqual({
-          me: {
-            id: expect.any(String),
-          },
-        });
-
-        await execute({
-          document: DeleteOIDCIntegrationMutation,
-          variables: {
-            input: {
-              oidcIntegrationId,
-            },
-          },
-          authToken: ownerToken,
-        }).then(r => r.expectNoGraphQLErrors());
-
-        const refetchedMeResult = await execute({
-          document: MeQuery,
-          authToken: memberAccessToken,
-        }).then(r => r.expectGraphQLErrors());
-
-        expect(refetchedMeResult).toEqual(
-          expect.arrayContaining([
-            expect.objectContaining({
-              message: `No access (reason: "User not found")`,
-            }),
-          ]),
-        );
-      },
-    );
   });
 });
 
@@ -777,45 +705,50 @@ describe('restrictions', () => {
     return result.createOIDCIntegration.ok!.createdOIDCIntegration.id;
   }
 
-  test.concurrent('non-oidc users cannot join an organization (default)', async ({ expect }) => {
-    const seed = initSeed();
-    const { ownerToken, createOrg } = await seed.createOwner();
-    const { organization, inviteMember, joinMemberUsingCode } = await createOrg();
+  test.concurrent(
+    'users authorized with non-OIDC method cannot join an organization (default)',
+    async ({ expect }) => {
+      const seed = initSeed();
+      const { ownerToken, createOrg } = await seed.createOwner();
+      const { organization, inviteMember, joinMemberUsingCode } = await createOrg();
 
-    await configureOIDC({
-      ownerToken,
-      organizationId: organization.id,
-    });
+      await configureOIDC({
+        ownerToken,
+        organizationId: organization.id,
+      });
 
-    const refetchedOrg = await execute({
-      document: OrganizationWithOIDCIntegration,
-      variables: {
-        organizationSlug: organization.slug,
-      },
-      authToken: ownerToken,
-    }).then(r => r.expectNoGraphQLErrors());
+      const refetchedOrg = await execute({
+        document: OrganizationWithOIDCIntegration,
+        variables: {
+          organizationSlug: organization.slug,
+        },
+        authToken: ownerToken,
+      }).then(r => r.expectNoGraphQLErrors());
 
-    expect(refetchedOrg.organization?.oidcIntegration?.oidcUserAccessOnly).toEqual(true);
+      expect(refetchedOrg.organization?.oidcIntegration?.oidcUserAccessOnly).toEqual(true);
 
-    const invitation = await inviteMember('example@example.com');
-    const invitationCode = invitation.ok?.createdOrganizationInvitation.code;
+      const invitation = await inviteMember('example@example.com');
+      const invitationCode = invitation.ok?.createdOrganizationInvitation.code;
 
-    if (!invitationCode) {
-      throw new Error('No invitation code');
-    }
+      if (!invitationCode) {
+        throw new Error('No invitation code');
+      }
 
-    const nonOidcAccount = await seed.authenticate(userEmail('non-oidc-user'));
-    const joinResult = await joinMemberUsingCode(invitationCode, nonOidcAccount.access_token).then(
-      r => r.expectNoGraphQLErrors(),
-    );
+      const nonOidcAccount = await seed.authenticate(userEmail('non-oidc-user'));
+      const joinResult = await joinMemberUsingCode(
+        invitationCode,
+        nonOidcAccount.access_token,
+      ).then(r => r.expectNoGraphQLErrors());
 
-    expect(joinResult.joinOrganization).toEqual(
-      expect.objectContaining({
-        __typename: 'OrganizationInvitationError',
-        message: 'Non-OIDC users are not allowed to join this organization.',
-      }),
-    );
-  });
+      expect(joinResult.joinOrganization).toEqual(
+        expect.objectContaining({
+          __typename: 'OrganizationInvitationError',
+          message:
+            'The user is not authorized through the OIDC integration required for the organization',
+        }),
+      );
+    },
+  );
 
   test.concurrent('non-oidc users can join an organization (opt-in)', async ({ expect }) => {
     const seed = initSeed();
@@ -925,10 +858,8 @@ test.concurrent(
     const seed = initSeed();
     const { createOrg, ownerToken } = await seed.createOwner();
     const { organization, inviteAndJoinMember } = await createOrg();
-    const { createMemberRole, assignMemberRole, updateMemberRole, memberToken, member } =
-      await inviteAndJoinMember();
 
-    await execute({
+    const createOIDCIntegrationResult = await execute({
       document: CreateOIDCIntegrationMutation,
       variables: {
         input: {
@@ -942,7 +873,11 @@ test.concurrent(
       },
       authToken: ownerToken,
     }).then(r => r.expectNoGraphQLErrors());
+    const oidcIntegrationId =
+      createOIDCIntegrationResult.createOIDCIntegration.ok?.createdOIDCIntegration.id;
 
+    const { createMemberRole, assignMemberRole, updateMemberRole, memberToken, member } =
+      await inviteAndJoinMember({ oidcIntegrationId });
     const role = await createMemberRole([]);
     await assignMemberRole({ roleId: role.id, userId: member.id });