introduced test decorator for checking delegated perms

Author: vgrem

examples/auth/with_adal.py

@@ -6,7 +6,7 @@
 """
 
 from office365.graph_client import GraphClient
-from tests import test_tenant_name, test_client_id, test_username, test_password
+from tests import test_client_id, test_password, test_tenant_name, test_username
 
 
 def acquire_token():

office365/directory/groups/group.py

@@ -267,6 +267,18 @@ def members(self):
             ),
         )
 
+    @property
+    def rejected_senders(self):
+        """
+        The list of users or groups not allowed to create posts or calendar events in this group. Nullable
+        """
+        return self.properties.get(
+            "rejectedSenders",
+            DirectoryObjectCollection(
+                self.context, ResourcePath("rejectedSenders", self.resource_path)
+            ),
+        )
+
     @property
     def transitive_members(self):
         """
@@ -425,6 +437,7 @@ def get_property(self, name, default_value=None):
                 "groupTypes": self.group_types,
                 "licenseProcessingState": self.license_processing_state,
                 "permissionGrants": self.permission_grants,
+                "rejectedSenders": self.rejected_senders,
                 "transitiveMembers": self.transitive_members,
                 "transitiveMemberOf": self.transitive_member_of,
             }

tests/booking/test_business.py

@@ -1,32 +1,48 @@
 from office365.booking.business.business import BookingBusiness
+from tests.decorators import requires_delegated_permission
 from tests.graph_case import GraphTestCase
 
 
 class TestBusiness(GraphTestCase):
     business = None  # type: BookingBusiness
 
+    @requires_delegated_permission(
+        "Bookings.Read.All",
+        "Bookings.Manage.All",
+        "Bookings.ReadWrite.All",
+        "BookingsAppointment.ReadWrite.All",
+    )
     def test1_list_booking_business(self):
         result = self.client.solutions.booking_businesses.get().execute_query()
         self.assertIsNotNone(result.resource_path)
 
+    @requires_delegated_permission("Bookings.Manage.All")
     def test2_create_booking_business(self):
         result = self.client.solutions.booking_businesses.add(
             "Fourth Coffee"
         ).execute_query()
         self.assertIsNotNone(result.resource_path)
         self.__class__.business = result
 
-    # def test3_get_staff_availability(self):
+    @requires_delegated_permission(
+        "Bookings.Read.All",
+        "Bookings.Manage.All",
+        "Bookings.ReadWrite.All",
+        "BookingsAppointment.ReadWrite.All",
+    )
+    def test3_ensure_created(self):
+        result = self.__class__.business.get().execute_query_retry()
+        self.assertIsNotNone(result.resource_path)
+
+    #def test4_get_staff_availability(self):
     #    result = self.__class__.business.get_staff_availability().execute_query()
     #    self.assertIsNotNone(result.resource_path)
 
-    def test3_get(self):
-        result = self.__class__.business.get().execute_query()
-        self.assertIsNotNone(result.resource_path)
-
-    def test4_publish(self):
+    @requires_delegated_permission("Bookings.Manage.All")
+    def test5_publish(self):
         result = self.__class__.business.publish().execute_query()
         self.assertIsNotNone(result.resource_path)
 
-    def test5_delete_booking_business(self):
+    @requires_delegated_permission("Bookings.Manage.All")
+    def test6_delete_booking_business(self):
         self.__class__.business.delete_object().execute_query()

tests/decorators.py

@@ -0,0 +1,87 @@
+from functools import lru_cache, wraps
+from typing import Any, Callable, TypeVar
+from unittest import TestCase
+
+from office365.directory.applications.roles.collection import AppRoleCollection
+from office365.graph_client import GraphClient
+from office365.runtime.types.collections import StringCollection
+from tests import test_client_id
+
+T = TypeVar("T", bound=Callable[..., Any])
+
+
+@lru_cache(maxsize=1)
+def _get_cached_permissions(client, client_id):
+    # type: (GraphClient, str) -> AppRoleCollection
+    """Get and cache application permissions for a client"""
+    resource = client.service_principals.get_by_name("Microsoft Graph")
+    result = resource.get_application_permissions(client_id).execute_query()
+    return result.value
+
+
+def requires_app_permission(app_role):
+    # type: (str) -> Callable[[T], T]
+    def decorator(test_method):
+        # type: (T) -> T
+        @wraps(test_method)
+        def wrapper(self, *args, **kwargs):
+            # type: (TestCase, *Any, **Any) -> Any
+            client = getattr(self, "client", None)
+            if not client:
+                self.skipTest("No client available for permission check")
+
+            try:
+                permissions = _get_cached_permissions(client, test_client_id)
+
+                if not any(role.value == app_role for role in permissions):
+                    self.skipTest(f"Required app permission '{app_role}' not granted")
+
+                return test_method(self, *args, **kwargs)
+
+            except Exception as e:
+                self.skipTest(f"Permission check failed: {str(e)}")
+
+        return wrapper
+
+    return decorator
+
+
+@lru_cache(maxsize=1)
+def _get_cached_delegated_permissions(client, client_id):
+    # type: (GraphClient, str) -> StringCollection
+    """Get and cache delegated permissions for a client"""
+    resource = client.service_principals.get_by_name("Microsoft Graph")
+    result = resource.get_delegated_permissions(client_id).execute_query()
+    return result.value
+
+
+def requires_delegated_permission(*scopes):
+    # type: (*str) -> Callable[[T], T]
+    """Decorator to verify delegated permissions before test execution"""
+
+    def decorator(test_method):
+        # type: (T) -> T
+        @wraps(test_method)
+        def wrapper(self, *args, **kwargs):
+            # type: (TestCase, *Any, **Any) -> Any
+            client = getattr(self, "client", None)
+            if not client:
+                self.skipTest("No client available for permission check")
+
+            try:
+                # Get permissions from cache or API
+                granted_scopes = _get_cached_delegated_permissions(client, test_client_id)
+
+                if not any(scope in granted_scopes for scope in scopes):
+                    self.skipTest(
+                        f"Required delegated permission '{', '.join(scopes)}' not granted"
+                    )
+
+                return test_method(self, *args, **kwargs)
+
+            except Exception as e:
+                self.skipTest(f"Permission check failed: {str(e)}")
+
+        return wrapper  # type: ignore[return-value]
+
+    return decorator

tests/outlook/test_calendar.py

@@ -4,6 +4,7 @@
 from office365.outlook.calendar.calendar import Calendar
 from office365.outlook.calendar.email_address import EmailAddress
 from tests import create_unique_name, test_user_principal_name
+from tests.decorators import requires_delegated_permission
 from tests.graph_case import GraphTestCase
 
 
@@ -21,10 +22,19 @@ def setUpClass(cls):
     def tearDownClass(cls):
         pass
 
+    @requires_delegated_permission(
+        "Calendars.Read.Shared", "Calendars.ReadWrite.Shared"
+    )
     def test1_find_my_meeting_times(self):
         result = self.client.me.find_meeting_times().execute_query()
         self.assertIsNotNone(result.value.meetingTimeSuggestions)
 
+    @requires_delegated_permission(
+        "Calendars.ReadBasic",
+        "Calendars.Read",
+        "Calendars.ReadWrite",
+        "Calendars.ReadWrite.Shared",
+    )
     def test2_get_my_schedule(self):
         end_time = datetime.utcnow()
         start_time = end_time - timedelta(days=7)
@@ -35,10 +45,22 @@ def test2_get_my_schedule(self):
         ).execute_query()
         self.assertIsNotNone(result.value)
 
+    @requires_delegated_permission(
+        "Calendars.ReadBasic",
+        "Calendars.ReadWrite",
+        "Calendars.Read",
+        "Calendars.ReadWrite.Shared",
+    )
     def test3_list_my_cal_groups(self):
         cal_groups = self.client.me.calendar_groups.get().execute_query()
         self.assertIsNotNone(cal_groups.resource_path)
 
+    @requires_delegated_permission(
+        "Calendars.ReadBasic",
+        "Calendars.ReadWrite",
+        "Calendars.Read",
+        "Calendars.ReadWrite.Shared",
+    )
     def test4_list_my_cal_permissions(self):
         result = self.client.me.calendar.calendar_permissions.get().execute_query()
         self.assertIsNotNone(result.resource_path)

tests/outlook/test_rooms.py

@@ -2,7 +2,7 @@
 
 from office365.graph_client import GraphClient
 from tests import test_client_id, test_client_secret, test_tenant
-from tests.test_decorators import requires_app_permission
+from tests.decorators import requires_app_permission
 
 
 class TestRooms(TestCase):

tests/security/test_security.py

@@ -2,7 +2,7 @@
 
 from office365.graph_client import GraphClient
 from tests import test_client_id, test_client_secret, test_tenant
-from tests.test_decorators import requires_app_permission
+from tests.decorators import requires_app_permission
 
 
 class TestSecurity(TestCase):