Make Directory.Read.All optional for non-admin workspace listing (graceful fallback)

[richardogundele]

Title

Non-admin GET /workspaces fails without Graph Directory.Read.All when user management is disabled

Problem

When USER_MANAGEMENT_ENABLED=False, non-admin requests to GET /api/workspaces can fail if Microsoft Graph is unavailable or Directory.Read.All is not granted. The failure originates from role assignment resolution and bubbles up as an error, blocking workspace listing in least-privilege deployments.

Impact

• Who: Non-admin users (e.g., WorkspaceOwner, WorkspaceResearcher, AirlockManager).
• What: Unable to list workspaces without Graph Directory.Read.All or during Graph outages.
• Severity: High in tenants intentionally avoiding Graph directory permissions.

Steps to Reproduce

1. Deploy with USER_MANAGEMENT_ENABLED=False and without granting Directory.Read.All to the API identity.
2. Sign in as a non-admin user.
3. Call GET /api/workspaces.
4. Request fails due to AuthConfigValidationError from identity role assignment lookup.

Expected

• Non-admin GET /api/workspaces succeeds and returns the user’s accessible workspaces (or an empty list), even when Graph is unavailable, when USER_MANAGEMENT_ENABLED=False.

Actual

• Request fails because role assignments cannot be resolved via Graph, raising AuthConfigValidationError.

Root Cause

get_identity_role_assignments errors (Graph-dependent) are not handled in the non-admin listing path. With USER_MANAGEMENT_ENABLED=False, we still hard-require Graph, creating an unnecessary dependency.

---

What

Adds a graceful fallback for user role assignment resolution so non-admin GET /workspaces does not hard-require Microsoft Graph Directory.Read.All.

Why

Reduces tenant permission friction and supports least-privilege deployments without breaking the endpoint.

How

• api_app/api/routes/resource_helpers.py:get_identity_role_assignments now catches AuthConfigValidationError and:
  • If core.config.USER_MANAGEMENT_ENABLED=True: preserve strict behavior (re-raise).
  • If False: return an empty assignment list, avoiding a hard failure.
• Admin listing logic remains unchanged.

Behavior Changes

• Admins: unchanged; list all workspaces as before.
• Non-admins:
  • With USER_MANAGEMENT_ENABLED=True: unchanged; Graph is still required.
  • With USER_MANAGEMENT_ENABLED=False: endpoint no longer errors when Graph is unavailable; response may be empty if roles can’t be resolved.

Tests

• api_app/tests_ma/test_api/test_routes/test_resource_helpers.py
  • Fallback returns [] when disabled.
  • Raises when enabled (strict mode).
  • Updated to use unittest.mock.patch and pytest.monkeypatch for clean config toggling.

Verification

• Set USER_MANAGEMENT_ENABLED=False and simulate Graph failure → GET /workspaces returns 200 with an appropriate list (possibly empty).
• Set USER_MANAGEMENT_ENABLED=True and simulate Graph failure → error continues to propagate as before.

Notes

• Linting passes.
• No breaking changes; default behavior preserved when user management is enabled.

Related

• PR: #4682

[marrobi]

@richardogundele thanks for the PR, can you please update the title and description so we know what this does. Thanks.

[github-actions]

Unit Test Results

0 tests   0 ✅  0s ⏱️
0 suites  0 💤
0 files    0 ❌

Results for commit 5cb2a6d.

[Copilot]

Pull Request Overview

This PR implements a graceful fallback mechanism for Microsoft Graph API failures when listing workspaces for non-admin users, allowing deployments without Directory.Read.All permissions when user management is disabled.

Key changes:

• Adds conditional error handling in get_identity_role_assignments to gracefully handle Graph API unavailability
• Maintains strict behavior when USER_MANAGEMENT_ENABLED=True but allows fallback when disabled
• Provides comprehensive test coverage for both enabled and disabled user management scenarios

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
api_app/api/routes/resource_helpers.py	Adds try-catch logic with conditional fallback based on USER_MANAGEMENT_ENABLED config
api_app/tests_ma/test_api/test_routes/test_resource_helpers.py	Adds comprehensive tests for both fallback and strict mode behaviors

[marrobi]

@richardogundele can you create an issue for this explaining the error seen, the PR description explains the fix but not really the error. If we look back to why this PR exists, we need the issue. Thanks.