no test coverage of POST /org/:shortname/user with active_roles ?

[ElectricNroff]

cve-services/test-http/src/test/org_user_tests/org.py

Lines 653 to 659 in d4b214b

	def post_new_org_user(org_short_name, user_name):
	""" create a user for the organization defined by its short name """
	return requests.post(
	f'{env.AWG_BASE_URL}{ORG_URL}/{org_short_name}/user',
	headers=utils.BASE_HEADERS,
	json={'username': user_name}
	)

tests creating a user without the authority property but I couldn't find a test case in which authority is used during POST.

There should be tests for data of the form:

{"username": "[email protected]", "authority": {"active_roles": ["ADMIN"]}}
This is a common case implemented by clients in the past.

{"username": "[email protected]", "authority": {"active_roles": []}}
This pattern is being added to a client. The server behavior needs to be equivalent to omitting the authority property.

{"username": "[email protected]", "authority": {"active_roles": ["NOT_A_ROLE"]}}
This must fail because NOT_A_ROLE is not in the enum.

This data passes through custom middleware and the behavior needs to stay the same even if the middleware implementation is changed:

cve-services/src/controller/org.controller/index.js

Lines 559 to 563 in d4b214b

	body(['authority.active_roles']).optional()
	.custom(mw.isFlatStringArray)
	.bail()
	.customSanitizer(toUpperCaseArray)
	.custom(isUserRole),