add sharepoint integration tests

Author: Subash-Mohan

backend/ee/onyx/external_permissions/sharepoint/utils.py

@@ -12,6 +12,8 @@
 
 from ee.onyx.db.external_perm import ExternalUserGroup
 from onyx.access.models import ExternalAccess
+from onyx.access.utils import build_ext_group_name_for_onyx
+from onyx.configs.constants import DocumentSource
 from onyx.utils.logger import setup_logger
 
 logger = setup_logger()
@@ -475,6 +477,7 @@ def get_external_access_from_sharepoint(
     graph_client: GraphClient,
     drive_name: str,
     drive_item: DriveItem,
+    add_prefix: bool = False,
 ) -> ExternalAccess:
     """
     Get external access information from SharePoint.
@@ -510,6 +513,19 @@ def add_user_and_group_to_sets(
     ) -> None:
         nonlocal user_emails, groups
         for assignment in role_assignments:
+            logger.info(f"Assignment: {assignment.to_json()}")
+            if assignment.role_definition_bindings:
+                role_names = [
+                    role_definition_binding.name
+                    for role_definition_binding in assignment.role_definition_bindings
+                ]
+
+                # Skip if the role is only Limited Access, because this is not a actual permission its a travel through permission
+                if role_names == ["Limited Access"]:
+                    logger.info(
+                        "Skipping assignment because it has only Limited Access role"
+                    )
+                    continue
             if assignment.member:
                 member = assignment.member
                 if hasattr(member, "principal_type"):
@@ -533,7 +549,7 @@ def add_user_and_group_to_sets(
                         )
 
     _sleep_and_retry(
-        item.role_assignments.expand(["Member"]).get_all(
+        item.role_assignments.expand(["Member", "RoleDefinitionBindings"]).get_all(
             page_loaded=add_user_and_group_to_sets
         ),
         "get_external_access_from_sharepoint",
@@ -542,6 +558,10 @@ def add_user_and_group_to_sets(
         client_context, graph_client, groups
     )
     for group_name, _ in groups_and_members.items():
+        if add_prefix:
+            group_name = build_ext_group_name_for_onyx(
+                group_name, DocumentSource.SHAREPOINT
+            )
         group_ids.add(group_name.lower())
 
     return ExternalAccess(
@@ -565,6 +585,19 @@ def get_sharepoint_external_groups(
     def add_group_to_sets(role_assignments: RoleAssignmentCollection) -> None:
         nonlocal groups
         for assignment in role_assignments:
+            logger.info(f"Assignment: {assignment.to_json()}")
+            if assignment.role_definition_bindings:
+                role_names = [
+                    role_definition_binding.name
+                    for role_definition_binding in assignment.role_definition_bindings
+                ]
+
+                # Skip if the role is only Limited Access, because this is not a actual permission its a travel through permission
+                if role_names == ["Limited Access"]:
+                    logger.info(
+                        "Skipping assignment because it has only Limited Access role"
+                    )
+                    continue
             if assignment.member:
                 member = assignment.member
                 if hasattr(member, "principal_type"):
@@ -581,9 +614,9 @@ def add_group_to_sets(role_assignments: RoleAssignmentCollection) -> None:
                         )
 
     _sleep_and_retry(
-        client_context.web.role_assignments.expand(["Member"]).get_all(
-            page_loaded=add_group_to_sets
-        ),
+        client_context.web.role_assignments.expand(
+            ["Member", "RoleDefinitionBindings"]
+        ).get_all(page_loaded=add_group_to_sets),
         "get_sharepoint_external_groups",
     )
     groups_and_members: dict[str, set[str]] = _get_groups_and_members_recursively(

backend/onyx/connectors/sharepoint/connector.py

@@ -131,7 +131,7 @@ def _convert_driveitem_to_document_with_permissions(
         raise ValueError("DriveItem ID is required")
     if include_permissions and ctx is None:
         raise ValueError("ClientContext is required for permissions")
-
+    logger.info(f"Getting drive item content for drive item: {driveitem.name}")
     content = driveitem.get_content().execute_query().value
 
     if content is None:
@@ -154,7 +154,7 @@ def _convert_driveitem_to_document_with_permissions(
     if include_permissions and ctx is not None:
         try:
             external_access = get_sharepoint_external_access(
-                driveitem, drive_name, ctx, graph_client
+                driveitem, drive_name, ctx, graph_client, True
             )
         except Exception as e:
             logger.warning(

backend/onyx/connectors/sharepoint/utils.py

@@ -15,6 +15,7 @@ def get_sharepoint_external_access(
     drive_name: str,
     ctx: ClientContext,
     graph_client: GraphClient,
+    add_prefix: bool = False,
 ) -> ExternalAccess:
     if drive_item.id is None:
         raise ValueError("DriveItem ID is required")
@@ -30,7 +31,7 @@ def noop_fallback(*args: Any, **kwargs: Any) -> ExternalAccess:
     )
 
     external_access = get_external_access_func(
-        ctx, graph_client, drive_name, drive_item
+        ctx, graph_client, drive_name, drive_item, add_prefix
     )
 
     return external_access

backend/tests/integration/connector_job_tests/sharepoint/conftest.py

@@ -0,0 +1,112 @@
+import os
+from collections.abc import Generator
+from datetime import datetime
+from datetime import timezone
+
+import pytest
+
+from onyx.configs.constants import DocumentSource
+from onyx.connectors.models import InputType
+from onyx.connectors.sharepoint.connector import SharepointAuthMethod
+from onyx.db.enums import AccessType
+from tests.integration.common_utils.managers.cc_pair import CCPairManager
+from tests.integration.common_utils.managers.connector import ConnectorManager
+from tests.integration.common_utils.managers.credential import CredentialManager
+from tests.integration.common_utils.managers.llm_provider import LLMProviderManager
+from tests.integration.common_utils.managers.user import UserManager
+from tests.integration.common_utils.reset import reset_all
+from tests.integration.common_utils.test_models import DATestCCPair
+from tests.integration.common_utils.test_models import DATestConnector
+from tests.integration.common_utils.test_models import DATestCredential
+from tests.integration.common_utils.test_models import DATestUser
+
+SharepointTestEnvSetupTuple = tuple[
+    DATestUser,  # admin_user
+    DATestUser,  # regular_user_1
+    DATestUser,  # regular_user_2
+    DATestCredential,
+    DATestConnector,
+    DATestCCPair,
+]
+
+
+@pytest.fixture(scope="module")
+def sharepoint_test_env_setup() -> Generator[SharepointTestEnvSetupTuple]:
+    # Reset all data before running the test
+    reset_all()
+    # Required environment variables for SharePoint certificate authentication
+    sp_client_id = os.environ["PERM_SYNC_SHAREPOINT_CLIENT_ID"]
+    sp_private_key = os.environ[
+        "PERM_SYNC_SHAREPOINT_PRIVATE_KEY"
+    ]  # Base64 encoded PFX data
+    sp_certificate_password = os.environ["PERM_SYNC_SHAREPOINT_CERTIFICATE_PASSWORD"]
+    sp_directory_id = os.environ["PERM_SYNC_SHAREPOINT_DIRECTORY_ID"]
+    sp_tenant_domain = os.environ["PERM_SYNC_SHAREPOINT_TENANT_DOMAIN"]
+    sharepoint_sites = "https://danswerai.sharepoint.com/sites/Permisisonsync"
+    admin_email = "admin@onyx.app"
+    user1_email = "subash@onyx.app"
+    user2_email = "raunak@onyx.app"
+
+    # Certificate-based credentials
+    credentials = {
+        "authentication_method": SharepointAuthMethod.CERTIFICATE.value,
+        "sp_client_id": sp_client_id,
+        "sp_private_key": sp_private_key,
+        "sp_certificate_password": sp_certificate_password,
+        "sp_directory_id": sp_directory_id,
+        "sp_tenant_domain": sp_tenant_domain,
+    }
+
+    # Create users
+    admin_user: DATestUser = UserManager.create(email=admin_email)
+    regular_user_1: DATestUser = UserManager.create(email=user1_email)
+    regular_user_2: DATestUser = UserManager.create(email=user2_email)
+
+    # Create LLM provider for search functionality
+    LLMProviderManager.create(user_performing_action=admin_user)
+
+    # Create credential
+    credential: DATestCredential = CredentialManager.create(
+        source=DocumentSource.SHAREPOINT,
+        credential_json=credentials,
+        user_performing_action=admin_user,
+    )
+
+    # Create connector with SharePoint-specific configuration
+    connector: DATestConnector = ConnectorManager.create(
+        name="SharePoint Test",
+        input_type=InputType.POLL,
+        source=DocumentSource.SHAREPOINT,
+        connector_specific_config={
+            "sites": sharepoint_sites.split(","),
+        },
+        access_type=AccessType.SYNC,  # Enable permission sync
+        user_performing_action=admin_user,
+    )
+
+    # Create CC pair with permission sync enabled
+    cc_pair: DATestCCPair = CCPairManager.create(
+        credential_id=credential.id,
+        connector_id=connector.id,
+        access_type=AccessType.SYNC,  # Enable permission sync
+        user_performing_action=admin_user,
+    )
+
+    # Wait for both indexing and permission sync to complete
+    before = datetime.now(tz=timezone.utc)
+    CCPairManager.wait_for_indexing_completion(
+        cc_pair=cc_pair,
+        after=before,
+        user_performing_action=admin_user,
+        timeout=float("inf"),
+    )
+
+    # Wait for permission sync completion specifically
+    CCPairManager.wait_for_sync(
+        cc_pair=cc_pair,
+        after=before,
+        user_performing_action=admin_user,
+        timeout=float("inf"),
+    )
+
+    yield admin_user, regular_user_1, regular_user_2, credential, connector, cc_pair