You are here

Home » API reference » Apigee Edge 8 » TeamApiProductAccessTest.php » TeamApiProductAccessTest

public function TeamApiProductAccessTest::testTeamApiProductAccess in Apigee Edge 8

Tests team API product access.

File

modules/apigee_edge_teams/tests/src/Functional/TeamApiProductAccessTest.php, line 204

Class

TeamApiProductAccessTest
Team-level API product access test.

Namespace

Drupal\Tests\apigee_edge_teams\Functional

Code

public function testTeamApiProductAccess() {

  // A developer's API Product access who is not a member of any teams
  // should not be affected by team-level API product access.
  $this
    ->checkEntityAccess([
    self::PUBLIC_VISIBILITY => [
      'view',
      'view label',
      'assign',
    ],
  ], $this->developer);

  // Check team API product entity access.
  // Team member can have "assign" operation access to the public API product
  // thanks to the developer-level API product access settings.
  // Team member should not have "assign" operation access to the private API
  // product because it would mean that it can assign that to a developer app.
  $should_have_access = [
    self::PUBLIC_VISIBILITY => [
      'view',
      'view label',
      'assign',
    ],
    self::PRIVATE_VISIBILITY => [
      'view',
      'view label',
    ],
  ];
  $this
    ->checkEntityAccess($should_have_access, $this->team_member);

  // Create a developer app for team_member with internal API product.

  /** @var \Drupal\apigee_edge\Entity\DeveloperAppInterface $team_member_app */
  $team_member_app = $this->container
    ->get('entity_type.manager')
    ->getStorage('developer_app')
    ->create([
    'name' => $this
      ->randomMachineName(),
    'status' => DeveloperAppInterface::STATUS_APPROVED,
    'developerId' => $this->team_member
      ->get('apigee_edge_developer_id')->value,
  ]);
  $team_member_app
    ->save();

  /** @var \Drupal\apigee_edge\SDKConnectorInterface $connector */
  $dacc = $this->container
    ->get('apigee_edge.controller.developer_app_credential_factory')
    ->developerAppCredentialController($this->team_member
    ->get('apigee_edge_developer_id')->value, $team_member_app
    ->getName());

  /** @var \Apigee\Edge\Api\Management\Entity\AppCredentialInterface $credential */
  $credentials = $team_member_app
    ->getCredentials();
  $credential = reset($credentials);
  $dacc
    ->addProducts($credential
    ->getConsumerKey(), [
    $this->apiProducts[self::INTERNAL_VISIBILITY]
      ->id(),
  ]);

  // Team member still should not have "view" and "view label" operation
  // access to the internal API product because it has a developer app with
  // that product. This test case ensures we did not granted "assign"
  // operation access to this user accidentally.
  $should_have_access += [
    self::INTERNAL_VISIBILITY => [
      'view',
      'view label',
    ],
  ];
  $this
    ->checkEntityAccess($should_have_access, $this->team_member);

  // >>> Team member.
  $this
    ->drupalLogin($this->team_member);

  // Team member should see only the private API product on the team app
  // creation form.
  $this
    ->drupalGet(Url::fromRoute('entity.team_app.add_form_for_team', [
    'team' => $this->team
      ->id(),
  ]));
  $this
    ->assertSession()
    ->pageTextContains($this->apiProducts[self::PRIVATE_VISIBILITY]
    ->label());
  $this
    ->assertSession()
    ->pageTextNotContains($this->apiProducts[self::PUBLIC_VISIBILITY]
    ->label());
  $this
    ->assertSession()
    ->pageTextNotContains($this->apiProducts[self::INTERNAL_VISIBILITY]
    ->label());

  // After we have validated team member's entity access to the API products
  // we do not need to validate the developer app/edit forms because those
  // are covered by the parent module's ApiProductAccessTest which ensures
  // the API product list is filtered properly there.
  // \Drupal\Tests\apigee_edge\FunctionalJavascript\ApiProductAccessTest.
  $this
    ->drupalLogout();

  // <<< Team member.
  // If team member gets removed from the team its API Product access
  // must be re-evaluated. (We have to use \Drupal::service() here to ensure
  // correct cache instances gets invalidated in TeamMembershipManager.
  // \Drupal\apigee_edge_teams\TeamMembershipManager::invalidateCaches()
  $this->teamMembershipManager
    ->removeMembers($this->team
    ->id(), [
    $this->team_member
      ->getEmail(),
  ]);
  $should_have_access = [
    self::PUBLIC_VISIBILITY => [
      'view',
      'view label',
      'assign',
    ],
    self::INTERNAL_VISIBILITY => [
      'view',
      'view label',
    ],
  ];
  $this
    ->checkEntityAccess($should_have_access, $this->team_member);
}