fleet/server/service/service_invites_test.go

package service

import (
	"context"
	"testing"
	"time"

	"github.com/WatchBeam/clock"
	"github.com/fleetdm/fleet/v4/server/authz"
	"github.com/fleetdm/fleet/v4/server/config"
	"github.com/fleetdm/fleet/v4/server/contexts/viewer"
	"github.com/fleetdm/fleet/v4/server/fleet"
	"github.com/fleetdm/fleet/v4/server/mock"
	"github.com/fleetdm/fleet/v4/server/ptr"
	"github.com/fleetdm/fleet/v4/server/test"
	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
	"gopkg.in/guregu/null.v3"
)

func TestInviteNewUserMock(t *testing.T) {
	ms := new(mock.Store)
	ms.UserByEmailFunc = mock.UserWithEmailNotFound()
	ms.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {
		return &fleet.AppConfig{ServerSettings: fleet.ServerSettings{ServerURL: "https://acme.co"}}, nil
	}

	ms.NewInviteFunc = func(ctx context.Context, i *fleet.Invite) (*fleet.Invite, error) {
		return i, nil
	}
	mailer := &mockMailService{SendEmailFn: func(e fleet.Email) error { return nil }}

	svc := validationMiddleware{&Service{
		ds:          ms,
		config:      config.TestConfig(),
		mailService: mailer,
		clock:       clock.NewMockClock(),
		authz:       authz.Must(),
	}, ms, nil}

	payload := fleet.InvitePayload{
		Email: ptr.String("user@acme.co"),
	}

	// happy path
	invite, err := svc.InviteNewUser(test.UserContext(test.UserAdmin), payload)
	require.Nil(t, err)
	assert.Equal(t, test.UserAdmin.ID, invite.InvitedBy)
	assert.True(t, ms.NewInviteFuncInvoked)
	assert.True(t, ms.AppConfigFuncInvoked)
	assert.True(t, mailer.Invoked)

	ms.UserByEmailFunc = mock.UserByEmailWithUser(new(fleet.User))
	_, err = svc.InviteNewUser(test.UserContext(test.UserAdmin), payload)
	require.NotNil(t, err, "should err if the user we're inviting already exists")
}

func TestVerifyInvite(t *testing.T) {
	ms := new(mock.Store)
	svc := newTestService(ms, nil, nil)

	ms.InviteByTokenFunc = func(ctx context.Context, token string) (*fleet.Invite, error) {
		return &fleet.Invite{
			ID:    1,
			Token: "abcd",
			UpdateCreateTimestamps: fleet.UpdateCreateTimestamps{
				CreateTimestamp: fleet.CreateTimestamp{
					CreatedAt: time.Now().AddDate(-1, 0, 0),
				},
			},
		}, nil
	}
	wantErr := fleet.NewInvalidArgumentError("invite_token", "Invite token has expired.")
	_, err := svc.VerifyInvite(test.UserContext(test.UserAdmin), "abcd")
	assert.Equal(t, err, wantErr)

	wantErr = fleet.NewInvalidArgumentError("invite_token", "Invite Token does not match Email Address.")

	_, err = svc.VerifyInvite(test.UserContext(test.UserAdmin), "bad_token")
	assert.Equal(t, err, wantErr)
}

func TestDeleteInvite(t *testing.T) {
	ms := new(mock.Store)
	svc := newTestService(ms, nil, nil)

	ms.DeleteInviteFunc = func(context.Context, uint) error { return nil }
	err := svc.DeleteInvite(test.UserContext(test.UserAdmin), 1)
	require.Nil(t, err)
	assert.True(t, ms.DeleteInviteFuncInvoked)
}

func TestListInvites(t *testing.T) {
	ms := new(mock.Store)
	svc := newTestService(ms, nil, nil)

	ms.ListInvitesFunc = func(context.Context, fleet.ListOptions) ([]*fleet.Invite, error) {
		return nil, nil
	}
	_, err := svc.ListInvites(test.UserContext(test.UserAdmin), fleet.ListOptions{})
	require.Nil(t, err)
	assert.True(t, ms.ListInvitesFuncInvoked)
}

func TestInvitesAuth(t *testing.T) {
	ds := new(mock.Store)
	svc := newTestService(ds, nil, nil)

	ds.ListInvitesFunc = func(context.Context, fleet.ListOptions) ([]*fleet.Invite, error) {
		return nil, nil
	}
	ds.DeleteInviteFunc = func(context.Context, uint) error { return nil }
	ds.UserByEmailFunc = func(ctx context.Context, email string) (*fleet.User, error) {
		return nil, &notFoundError{}
	}
	ds.NewInviteFunc = func(ctx context.Context, i *fleet.Invite) (*fleet.Invite, error) {
		return &fleet.Invite{}, nil
	}
	ds.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {
		return &fleet.AppConfig{}, nil
	}
	var testCases = []struct {
		name            string
		user            *fleet.User
		shouldFailWrite bool
		shouldFailRead  bool
	}{
		{
			"global admin",
			&fleet.User{GlobalRole: ptr.String(fleet.RoleAdmin)},
			false,
			false,
		},
		{
			"global maintainer",
			&fleet.User{GlobalRole: ptr.String(fleet.RoleMaintainer)},
			true,
			true,
		},
		{
			"global observer",
			&fleet.User{GlobalRole: ptr.String(fleet.RoleObserver)},
			true,
			true,
		},
		{
			"team admin, belongs to team",
			&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 1}, Role: fleet.RoleAdmin}}},
			true,
			true,
		},
		{
			"team maintainer, belongs to team",
			&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 1}, Role: fleet.RoleMaintainer}}},
			true,
			true,
		},
		{
			"team observer, belongs to team",
			&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 1}, Role: fleet.RoleObserver}}},
			true,
			true,
		},
		{
			"team maintainer, DOES NOT belong to team",
			&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 2}, Role: fleet.RoleMaintainer}}},
			true,
			true,
		},
		{
			"team admin, DOES NOT belong to team",
			&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 2}, Role: fleet.RoleAdmin}}},
			true,
			true,
		},
		{
			"team observer, DOES NOT belong to team",
			&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 2}, Role: fleet.RoleObserver}}},
			true,
			true,
		},
	}
	for _, tt := range testCases {
		t.Run(tt.name, func(t *testing.T) {
			ctx := viewer.NewContext(context.Background(), viewer.Viewer{User: tt.user})

			_, err := svc.InviteNewUser(ctx, fleet.InvitePayload{
				Email:      ptr.String("e@mail.com"),
				Name:       ptr.String("name"),
				Position:   ptr.String("someposition"),
				SSOEnabled: ptr.Bool(false),
				GlobalRole: null.StringFromPtr(tt.user.GlobalRole),
				Teams: []fleet.UserTeam{
					{
						Team: fleet.Team{ID: 1},
						Role: fleet.RoleMaintainer,
					},
				},
			})
			checkAuthErr(t, tt.shouldFailWrite, err)

			_, err = svc.ListInvites(ctx, fleet.ListOptions{})
			checkAuthErr(t, tt.shouldFailRead, err)

			err = svc.DeleteInvite(ctx, 99)
			checkAuthErr(t, tt.shouldFailWrite, err)
		})
	}
}
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`package service`

			`import (`
Add support for context in datastore/mysql layer (#1962) This is just to pass down the context to the datastore layer, it doesn't use it just yet - this will be in a follow-up PR. 2021-09-14 12:11:07 +00:00			`"context"`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`"testing"`
add mock package and use in invite tests (#603) * add mock package and use in invite tests * mock expired invite test 2017-01-10 21:49:14 +00:00			`"time"`
Datastore refactor (#439) Removed Gorm, replaced it with Sqlx * Added SQL bundling command to Makfile * Using go-kit logger * Added soft delete capability * Changed SearchLabel to accept a variadic param for optional omit list instead of array * Gorm removed * Refactor table structures to use CURRENT_TIMESTAMP mysql function * Moved Inmem datastore into it's own package * Updated README * Implemented code review suggestions from @zwass * Removed reference to Gorm from glide.yaml 2016-11-16 13:47:49 +00:00
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`"github.com/WatchBeam/clock"`
Add v4 suffix in go.mod (#1224) 2021-06-26 04:46:51 +00:00			`"github.com/fleetdm/fleet/v4/server/authz"`
			`"github.com/fleetdm/fleet/v4/server/config"`
Issue 2134 add team admin role (#2499) * wip * Add team admin role and tests * Revert change in invites * Update permission doc * Fix lint 2021-10-13 15:34:59 +00:00			`"github.com/fleetdm/fleet/v4/server/contexts/viewer"`
Add v4 suffix in go.mod (#1224) 2021-06-26 04:46:51 +00:00			`"github.com/fleetdm/fleet/v4/server/fleet"`
			`"github.com/fleetdm/fleet/v4/server/mock"`
			`"github.com/fleetdm/fleet/v4/server/ptr"`
			`"github.com/fleetdm/fleet/v4/server/test"`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`"github.com/stretchr/testify/assert"`
add mock package and use in invite tests (#603) * add mock package and use in invite tests * mock expired invite test 2017-01-10 21:49:14 +00:00			`"github.com/stretchr/testify/require"`
Issue 2134 add team admin role (#2499) * wip * Add team admin role and tests * Revert change in invites * Update permission doc * Fix lint 2021-10-13 15:34:59 +00:00			`"gopkg.in/guregu/null.v3"`
Adds endpoints to invite new users to the application. (#235) User service checks that tokens are valid on new user signups. Closes #230 2016-09-29 02:44:05 +00:00			`)`

add mock package and use in invite tests (#603) * add mock package and use in invite tests * mock expired invite test 2017-01-10 21:49:14 +00:00			`func TestInviteNewUserMock(t *testing.T) {`
Remove invited_by from invite parameters (#591) Instead, use the value extracted from the viewer context. 2021-04-05 20:28:43 +00:00			`ms := new(mock.Store)`
			`ms.UserByEmailFunc = mock.UserWithEmailNotFound()`
Add support for context in datastore/mysql layer (#1962) This is just to pass down the context to the datastore layer, it doesn't use it just yet - this will be in a follow-up PR. 2021-09-14 12:11:07 +00:00			`ms.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {`
Remove unneeded interfaces (#1779) * Remove unneeded interfaces * Remove unused code 2021-08-24 21:49:56 +00:00			`return &fleet.AppConfig{ServerSettings: fleet.ServerSettings{ServerURL: "https://acme.co"}}, nil`
			`}`

Add support for context in datastore/mysql layer (#1962) This is just to pass down the context to the datastore layer, it doesn't use it just yet - this will be in a follow-up PR. 2021-09-14 12:11:07 +00:00			`ms.NewInviteFunc = func(ctx context.Context, i fleet.Invite) (fleet.Invite, error) {`
Remove invited_by from invite parameters (#591) Instead, use the value extracted from the viewer context. 2021-04-05 20:28:43 +00:00			`return i, nil`
			`}`
Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet` 2021-06-06 22:07:29 +00:00			`mailer := &mockMailService{SendEmailFn: func(e fleet.Email) error { return nil }}`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00
Refactor teams service methods (#910) - Move team-related service methods to `ee/server/service`. - Instantiate different service on startup based on license key. - Refactor service errors into separate package. - Add support for running E2E tests in both Core and Basic tiers. 2021-06-01 00:07:51 +00:00			`svc := validationMiddleware{&Service{`
Remove invited_by from invite parameters (#591) Instead, use the value extracted from the viewer context. 2021-04-05 20:28:43 +00:00			`ds: ms,`
			`config: config.TestConfig(),`
			`mailService: mailer,`
			`clock: clock.NewMockClock(),`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`authz: authz.Must(),`
Remove invited_by from invite parameters (#591) Instead, use the value extracted from the viewer context. 2021-04-05 20:28:43 +00:00			`}, ms, nil}`
add mock package and use in invite tests (#603) * add mock package and use in invite tests * mock expired invite test 2017-01-10 21:49:14 +00:00
Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet` 2021-06-06 22:07:29 +00:00			`payload := fleet.InvitePayload{`
Refactor usage of null values in Teams models (#863) - Use pointers rather than null package types. - Use new internal ptr package. - Improved handling of changing user teams/roles. 2021-05-25 22:46:46 +00:00			`Email: ptr.String("user@acme.co"),`
add mock package and use in invite tests (#603) * add mock package and use in invite tests * mock expired invite test 2017-01-10 21:49:14 +00:00			`}`

			`// happy path`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`invite, err := svc.InviteNewUser(test.UserContext(test.UserAdmin), payload)`
add mock package and use in invite tests (#603) * add mock package and use in invite tests * mock expired invite test 2017-01-10 21:49:14 +00:00			`require.Nil(t, err)`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`assert.Equal(t, test.UserAdmin.ID, invite.InvitedBy)`
Remove invited_by from invite parameters (#591) Instead, use the value extracted from the viewer context. 2021-04-05 20:28:43 +00:00			`assert.True(t, ms.NewInviteFuncInvoked)`
			`assert.True(t, ms.AppConfigFuncInvoked)`
add mock package and use in invite tests (#603) * add mock package and use in invite tests * mock expired invite test 2017-01-10 21:49:14 +00:00			`assert.True(t, mailer.Invoked)`

Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet` 2021-06-06 22:07:29 +00:00			`ms.UserByEmailFunc = mock.UserByEmailWithUser(new(fleet.User))`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`_, err = svc.InviteNewUser(test.UserContext(test.UserAdmin), payload)`
add mock package and use in invite tests (#603) * add mock package and use in invite tests * mock expired invite test 2017-01-10 21:49:14 +00:00			`require.NotNil(t, err, "should err if the user we're inviting already exists")`
			`}`

			`func TestVerifyInvite(t *testing.T) {`
			`ms := new(mock.Store)`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`svc := newTestService(ms, nil, nil)`
add mock package and use in invite tests (#603) * add mock package and use in invite tests * mock expired invite test 2017-01-10 21:49:14 +00:00
Add support for context in datastore/mysql layer (#1962) This is just to pass down the context to the datastore layer, it doesn't use it just yet - this will be in a follow-up PR. 2021-09-14 12:11:07 +00:00			`ms.InviteByTokenFunc = func(ctx context.Context, token string) (*fleet.Invite, error) {`
Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet` 2021-06-06 22:07:29 +00:00			`return &fleet.Invite{`
Remove invited_by from invite parameters (#591) Instead, use the value extracted from the viewer context. 2021-04-05 20:28:43 +00:00			`ID: 1,`
			`Token: "abcd",`
Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet` 2021-06-06 22:07:29 +00:00			`UpdateCreateTimestamps: fleet.UpdateCreateTimestamps{`
			`CreateTimestamp: fleet.CreateTimestamp{`
Remove invited_by from invite parameters (#591) Instead, use the value extracted from the viewer context. 2021-04-05 20:28:43 +00:00			`CreatedAt: time.Now().AddDate(-1, 0, 0),`
			`},`
			`},`
			`}, nil`
			`}`
Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet` 2021-06-06 22:07:29 +00:00			`wantErr := fleet.NewInvalidArgumentError("invite_token", "Invite token has expired.")`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`_, err := svc.VerifyInvite(test.UserContext(test.UserAdmin), "abcd")`
add mock package and use in invite tests (#603) * add mock package and use in invite tests * mock expired invite test 2017-01-10 21:49:14 +00:00			`assert.Equal(t, err, wantErr)`

Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet` 2021-06-06 22:07:29 +00:00			`wantErr = fleet.NewInvalidArgumentError("invite_token", "Invite Token does not match Email Address.")`
add mock package and use in invite tests (#603) * add mock package and use in invite tests * mock expired invite test 2017-01-10 21:49:14 +00:00
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`_, err = svc.VerifyInvite(test.UserContext(test.UserAdmin), "bad_token")`
add mock package and use in invite tests (#603) * add mock package and use in invite tests * mock expired invite test 2017-01-10 21:49:14 +00:00			`assert.Equal(t, err, wantErr)`
			`}`

			`func TestDeleteInvite(t *testing.T) {`
			`ms := new(mock.Store)`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`svc := newTestService(ms, nil, nil)`
add mock package and use in invite tests (#603) * add mock package and use in invite tests * mock expired invite test 2017-01-10 21:49:14 +00:00
Add support for context in datastore/mysql layer (#1962) This is just to pass down the context to the datastore layer, it doesn't use it just yet - this will be in a follow-up PR. 2021-09-14 12:11:07 +00:00			`ms.DeleteInviteFunc = func(context.Context, uint) error { return nil }`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`err := svc.DeleteInvite(test.UserContext(test.UserAdmin), 1)`
add mock package and use in invite tests (#603) * add mock package and use in invite tests * mock expired invite test 2017-01-10 21:49:14 +00:00			`require.Nil(t, err)`
			`assert.True(t, ms.DeleteInviteFuncInvoked)`
			`}`

			`func TestListInvites(t *testing.T) {`
			`ms := new(mock.Store)`
Add authorization checks in service (#938) - Add policy.rego file defining authorization policies. - Add Go integrations to evaluate Rego policies (via OPA). - Add middleware to ensure requests without authorization check are rejected (guard against programmer error). - Add authorization checks to most service endpoints. 2021-06-03 23:24:15 +00:00			`svc := newTestService(ms, nil, nil)`
add mock package and use in invite tests (#603) * add mock package and use in invite tests * mock expired invite test 2017-01-10 21:49:14 +00:00
Add support for context in datastore/mysql layer (#1962) This is just to pass down the context to the datastore layer, it doesn't use it just yet - this will be in a follow-up PR. 2021-09-14 12:11:07 +00:00			`ms.ListInvitesFunc = func(context.Context, fleet.ListOptions) ([]*fleet.Invite, error) {`
add mock package and use in invite tests (#603) * add mock package and use in invite tests * mock expired invite test 2017-01-10 21:49:14 +00:00			`return nil, nil`
			`}`
Remove kolide types and packages from backend (#974) Generally renamed `kolide` -> `fleet` 2021-06-06 22:07:29 +00:00			`_, err := svc.ListInvites(test.UserContext(test.UserAdmin), fleet.ListOptions{})`
add mock package and use in invite tests (#603) * add mock package and use in invite tests * mock expired invite test 2017-01-10 21:49:14 +00:00			`require.Nil(t, err)`
			`assert.True(t, ms.ListInvitesFuncInvoked)`
			`}`
Issue 2134 add team admin role (#2499) * wip * Add team admin role and tests * Revert change in invites * Update permission doc * Fix lint 2021-10-13 15:34:59 +00:00
			`func TestInvitesAuth(t *testing.T) {`
			`ds := new(mock.Store)`
			`svc := newTestService(ds, nil, nil)`

			`ds.ListInvitesFunc = func(context.Context, fleet.ListOptions) ([]*fleet.Invite, error) {`
			`return nil, nil`
			`}`
			`ds.DeleteInviteFunc = func(context.Context, uint) error { return nil }`
			`ds.UserByEmailFunc = func(ctx context.Context, email string) (*fleet.User, error) {`
			`return nil, &notFoundError{}`
			`}`
			`ds.NewInviteFunc = func(ctx context.Context, i fleet.Invite) (fleet.Invite, error) {`
			`return &fleet.Invite{}, nil`
			`}`
			`ds.AppConfigFunc = func(ctx context.Context) (*fleet.AppConfig, error) {`
			`return &fleet.AppConfig{}, nil`
			`}`
			`var testCases = []struct {`
			`name string`
			`user *fleet.User`
			`shouldFailWrite bool`
			`shouldFailRead bool`
			`}{`
			`{`
			`"global admin",`
			`&fleet.User{GlobalRole: ptr.String(fleet.RoleAdmin)},`
			`false,`
			`false,`
			`},`
			`{`
			`"global maintainer",`
			`&fleet.User{GlobalRole: ptr.String(fleet.RoleMaintainer)},`
			`true,`
			`true,`
			`},`
			`{`
			`"global observer",`
			`&fleet.User{GlobalRole: ptr.String(fleet.RoleObserver)},`
			`true,`
			`true,`
			`},`
			`{`
			`"team admin, belongs to team",`
			`&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 1}, Role: fleet.RoleAdmin}}},`
			`true,`
			`true,`
			`},`
			`{`
			`"team maintainer, belongs to team",`
			`&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 1}, Role: fleet.RoleMaintainer}}},`
			`true,`
			`true,`
			`},`
			`{`
			`"team observer, belongs to team",`
			`&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 1}, Role: fleet.RoleObserver}}},`
			`true,`
			`true,`
			`},`
			`{`
			`"team maintainer, DOES NOT belong to team",`
			`&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 2}, Role: fleet.RoleMaintainer}}},`
			`true,`
			`true,`
			`},`
			`{`
			`"team admin, DOES NOT belong to team",`
			`&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 2}, Role: fleet.RoleAdmin}}},`
			`true,`
			`true,`
			`},`
			`{`
			`"team observer, DOES NOT belong to team",`
			`&fleet.User{Teams: []fleet.UserTeam{{Team: fleet.Team{ID: 2}, Role: fleet.RoleObserver}}},`
			`true,`
			`true,`
			`},`
			`}`
			`for _, tt := range testCases {`
			`t.Run(tt.name, func(t *testing.T) {`
			`ctx := viewer.NewContext(context.Background(), viewer.Viewer{User: tt.user})`

			`_, err := svc.InviteNewUser(ctx, fleet.InvitePayload{`
			`Email: ptr.String("e@mail.com"),`
			`Name: ptr.String("name"),`
			`Position: ptr.String("someposition"),`
			`SSOEnabled: ptr.Bool(false),`
			`GlobalRole: null.StringFromPtr(tt.user.GlobalRole),`
			`Teams: []fleet.UserTeam{`
			`{`
			`Team: fleet.Team{ID: 1},`
			`Role: fleet.RoleMaintainer,`
			`},`
			`},`
			`})`
			`checkAuthErr(t, tt.shouldFailWrite, err)`

			`_, err = svc.ListInvites(ctx, fleet.ListOptions{})`
			`checkAuthErr(t, tt.shouldFailRead, err)`

			`err = svc.DeleteInvite(ctx, 99)`
			`checkAuthErr(t, tt.shouldFailWrite, err)`
			`})`
			`}`
			`}`