TenantAtlas/tests/Feature/EntraAdminRoles/HighPrivilegeRoleCatalogTest.php

<?php

declare(strict_types=1);

use App\Services\EntraAdminRoles\HighPrivilegeRoleCatalog;

it('classifies Global Administrator template_id as critical', function (): void {
    $catalog = new HighPrivilegeRoleCatalog;

    expect($catalog->classify('62e90394-69f5-4237-9190-012177145e10', null))->toBe('critical');
});

it('classifies all 5 other high-privilege template_ids as high', function (string $templateId): void {
    $catalog = new HighPrivilegeRoleCatalog;

    expect($catalog->classify($templateId, null))->toBe('high');
})->with([
    'Privileged Role Administrator' => 'e8611ab8-c189-46e8-94e1-60213ab1f814',
    'Security Administrator' => '194ae4cb-b126-40b2-bd5b-6091b380977d',
    'Conditional Access Administrator' => 'b1be1c3e-b65d-4f19-8427-f6fa0d97feb9',
    'Exchange Administrator' => '29232cdf-9323-42fd-ade2-1d097af3e4de',
    'Authentication Administrator' => 'c4e39bd9-1100-46d3-8c65-fb160da0071f',
]);

it('falls back to display_name when template_id does not match', function (): void {
    $catalog = new HighPrivilegeRoleCatalog;

    expect($catalog->classify('unknown-template-id', 'Security Administrator'))->toBe('high');
});

it('returns null for unknown template_id and unknown display_name', function (): void {
    $catalog = new HighPrivilegeRoleCatalog;

    expect($catalog->classify('unknown-template-id', 'Custom Role'))->toBeNull();
});

it('returns null for unknown template_id with null display_name', function (): void {
    $catalog = new HighPrivilegeRoleCatalog;

    expect($catalog->classify('unknown-template-id', null))->toBeNull();
});

it('identifies Global Administrator via isGlobalAdministrator', function (): void {
    $catalog = new HighPrivilegeRoleCatalog;

    expect($catalog->isGlobalAdministrator('62e90394-69f5-4237-9190-012177145e10', null))->toBeTrue()
        ->and($catalog->isGlobalAdministrator('e8611ab8-c189-46e8-94e1-60213ab1f814', null))->toBeFalse();
});

it('returns all 6 entries from allTemplateIds', function (): void {
    $catalog = new HighPrivilegeRoleCatalog;
    $all = $catalog->allTemplateIds();

    expect($all)->toHaveCount(6)
        ->and($all)->toHaveKey('62e90394-69f5-4237-9190-012177145e10');
});

it('matches display_name case-insensitively', function (): void {
    $catalog = new HighPrivilegeRoleCatalog;

    expect($catalog->classify('unknown-id', 'GLOBAL ADMINISTRATOR'))->toBe('critical')
        ->and($catalog->classify('unknown-id', 'global administrator'))->toBe('critical')
        ->and($catalog->classify('unknown-id', 'Global Administrator'))->toBe('critical');
});