Harden msgraph webhook auth requirements (#30169)

2026-05-24 04:25:20 -07:00
parent 3e78e353d7
commit 4ca77f1059
4 changed files with 38 additions and 4 deletions
--- a/tests/gateway/test_msgraph_webhook.py
+++ b/tests/gateway/test_msgraph_webhook.py
@@ -6,7 +6,7 @@ import json
 import pytest

 from gateway.config import GatewayConfig, Platform, PlatformConfig, _apply_env_overrides
-from gateway.platforms.msgraph_webhook import MSGraphWebhookAdapter
+from gateway.platforms.msgraph_webhook import AIOHTTP_AVAILABLE, MSGraphWebhookAdapter


 def _make_adapter(**extra_overrides) -> MSGraphWebhookAdapter:
@@ -70,6 +70,15 @@ class TestMSGraphWebhookConfig:


 class TestMSGraphValidationHandshake:
+    @pytest.mark.anyio
+    async def test_connect_requires_client_state(self):
+        if not AIOHTTP_AVAILABLE:
+            pytest.skip("aiohttp not installed")
+        adapter = MSGraphWebhookAdapter(PlatformConfig(enabled=True, extra={}))
+        connected = await adapter.connect()
+        assert connected is False
+        assert adapter.is_connected() is False
+
    @pytest.mark.anyio
    async def test_validation_token_echo_on_get(self):
        adapter = _make_adapter()
@@ -99,6 +108,22 @@ class TestMSGraphValidationHandshake:


 class TestMSGraphNotifications:
+    @pytest.mark.anyio
+    async def test_missing_client_state_is_auth_rejected(self):
+        adapter = _make_adapter(client_state=None)
+        payload = {
+            "value": [
+                {
+                    "id": "notif-no-client-state",
+                    "subscriptionId": "sub-1",
+                    "changeType": "updated",
+                    "resource": "communications/onlineMeetings/meeting-1",
+                }
+            ]
+        }
+        resp = await adapter._handle_notification(_FakeRequest(json_payload=payload))
+        assert resp.status == 403
+
    @pytest.mark.anyio
    async def test_valid_notification_accepted_and_scheduled(self):
        adapter = _make_adapter()
--- a/tests/gateway/test_platform_connected_checkers.py
+++ b/tests/gateway/test_platform_connected_checkers.py
@@ -79,10 +79,11 @@ def test_checker_returns_true_when_configured(platform, checker, monkeypatch):
    elif platform in {
        Platform.API_SERVER,
        Platform.WEBHOOK,
-        Platform.MSGRAPH_WEBHOOK,
        Platform.WHATSAPP,
    }:
        mock_config.extra = {}
+    elif platform == Platform.MSGRAPH_WEBHOOK:
+        mock_config.extra = {"client_state": "expected-client-state"}
    elif platform == Platform.FEISHU:
        mock_config.extra = {"app_id": "app"}
    elif platform == Platform.WECOM: