update tests

management/server/http/testing/integration/invites_handler_integration_test.go

@@ -0,0 +1,154 @@
+//go:build integration
+
+package integration
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/netbirdio/netbird/management/server/http/testing/testing_tools"
+	"github.com/netbirdio/netbird/management/server/http/testing/testing_tools/channel"
+	"github.com/netbirdio/netbird/shared/management/http/api"
+)
+
+// Note: The integration test infrastructure does not configure an embedded IDP,
+// so actual invite operations will return PreconditionFailed (412) for authorized users.
+// These tests verify that the permissions layer correctly denies regular users
+// before the handler logic is reached.
+
+func Test_Invites_List(t *testing.T) {
+	users := []struct {
+		name           string
+		userId         string
+		expectResponse bool
+	}{
+		{"Regular user", testing_tools.TestUserId, false},
+		{"Admin user", testing_tools.TestAdminId, true},
+		{"Owner user", testing_tools.TestOwnerId, true},
+		{"Regular service user", testing_tools.TestServiceUserId, false},
+		{"Admin service user", testing_tools.TestServiceAdminId, true},
+		{"Blocked user", testing_tools.BlockedUserId, false},
+		{"Other user", testing_tools.OtherUserId, false},
+		{"Invalid token", testing_tools.InvalidToken, false},
+	}
+
+	for _, user := range users {
+		t.Run(user.name+" - List invites", func(t *testing.T) {
+			apiHandler, _, _ := channel.BuildApiBlackBoxWithDBState(t, "../testdata/users_integration.sql", nil, false)
+
+			req := testing_tools.BuildRequest(t, []byte{}, http.MethodGet, "/api/users/invites", user.userId)
+			recorder := httptest.NewRecorder()
+			apiHandler.ServeHTTP(recorder, req)
+
+			// Authorized users get PreconditionFailed (no embedded IDP configured)
+			// Unauthorized users get rejected by the permissions middleware
+			testing_tools.ReadResponse(t, recorder, http.StatusPreconditionFailed, user.expectResponse)
+		})
+	}
+}
+
+func Test_Invites_Create(t *testing.T) {
+	users := []struct {
+		name           string
+		userId         string
+		expectResponse bool
+	}{
+		{"Regular user", testing_tools.TestUserId, false},
+		{"Admin user", testing_tools.TestAdminId, true},
+		{"Owner user", testing_tools.TestOwnerId, true},
+		{"Regular service user", testing_tools.TestServiceUserId, false},
+		{"Admin service user", testing_tools.TestServiceAdminId, true},
+		{"Blocked user", testing_tools.BlockedUserId, false},
+		{"Other user", testing_tools.OtherUserId, false},
+		{"Invalid token", testing_tools.InvalidToken, false},
+	}
+
+	for _, user := range users {
+		t.Run(user.name+" - Create invite", func(t *testing.T) {
+			apiHandler, _, _ := channel.BuildApiBlackBoxWithDBState(t, "../testdata/users_integration.sql", nil, false)
+
+			body, err := json.Marshal(&api.UserInviteCreateRequest{
+				Email:      "newuser@test.com",
+				Name:       "New User",
+				Role:       "user",
+				AutoGroups: []string{},
+			})
+			if err != nil {
+				t.Fatalf("Failed to marshal request body: %v", err)
+			}
+
+			req := testing_tools.BuildRequest(t, body, http.MethodPost, "/api/users/invites", user.userId)
+			recorder := httptest.NewRecorder()
+			apiHandler.ServeHTTP(recorder, req)
+
+			// Authorized users get PreconditionFailed (no embedded IDP configured)
+			// Unauthorized users get rejected by the permissions middleware
+			testing_tools.ReadResponse(t, recorder, http.StatusPreconditionFailed, user.expectResponse)
+		})
+	}
+}
+
+func Test_Invites_Delete(t *testing.T) {
+	users := []struct {
+		name           string
+		userId         string
+		expectResponse bool
+	}{
+		{"Regular user", testing_tools.TestUserId, false},
+		{"Admin user", testing_tools.TestAdminId, true},
+		{"Owner user", testing_tools.TestOwnerId, true},
+		{"Regular service user", testing_tools.TestServiceUserId, false},
+		{"Admin service user", testing_tools.TestServiceAdminId, true},
+		{"Blocked user", testing_tools.BlockedUserId, false},
+		{"Other user", testing_tools.OtherUserId, false},
+		{"Invalid token", testing_tools.InvalidToken, false},
+	}
+
+	for _, user := range users {
+		t.Run(user.name+" - Delete invite", func(t *testing.T) {
+			apiHandler, _, _ := channel.BuildApiBlackBoxWithDBState(t, "../testdata/users_integration.sql", nil, false)
+
+			req := testing_tools.BuildRequest(t, []byte{}, http.MethodDelete, strings.Replace("/api/users/invites/{inviteId}", "{inviteId}", "someInviteId", 1), user.userId)
+			recorder := httptest.NewRecorder()
+			apiHandler.ServeHTTP(recorder, req)
+
+			// Authorized users get PreconditionFailed (no embedded IDP configured)
+			// Unauthorized users get rejected by the permissions middleware
+			testing_tools.ReadResponse(t, recorder, http.StatusPreconditionFailed, user.expectResponse)
+		})
+	}
+}
+
+func Test_Invites_Regenerate(t *testing.T) {
+	users := []struct {
+		name           string
+		userId         string
+		expectResponse bool
+	}{
+		{"Regular user", testing_tools.TestUserId, false},
+		{"Admin user", testing_tools.TestAdminId, true},
+		{"Owner user", testing_tools.TestOwnerId, true},
+		{"Regular service user", testing_tools.TestServiceUserId, false},
+		{"Admin service user", testing_tools.TestServiceAdminId, true},
+		{"Blocked user", testing_tools.BlockedUserId, false},
+		{"Other user", testing_tools.OtherUserId, false},
+		{"Invalid token", testing_tools.InvalidToken, false},
+	}
+
+	for _, user := range users {
+		t.Run(user.name+" - Regenerate invite", func(t *testing.T) {
+			apiHandler, _, _ := channel.BuildApiBlackBoxWithDBState(t, "../testdata/users_integration.sql", nil, false)
+
+			req := testing_tools.BuildRequest(t, []byte{}, http.MethodPost, strings.Replace("/api/users/invites/{inviteId}/regenerate", "{inviteId}", "someInviteId", 1), user.userId)
+			recorder := httptest.NewRecorder()
+			apiHandler.ServeHTTP(recorder, req)
+
+			// Authorized users get PreconditionFailed (no embedded IDP configured)
+			// Unauthorized users get rejected by the permissions middleware
+			testing_tools.ReadResponse(t, recorder, http.StatusPreconditionFailed, user.expectResponse)
+		})
+	}
+}

management/server/http/testing/integration/posture_checks_handler_integration_test.go

@@ -0,0 +1,372 @@
+//go:build integration
+
+package integration
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/netbirdio/netbird/management/server/http/testing/testing_tools"
+	"github.com/netbirdio/netbird/management/server/http/testing/testing_tools/channel"
+	"github.com/netbirdio/netbird/shared/management/http/api"
+)
+
+func Test_PostureChecks_GetAll(t *testing.T) {
+	users := []struct {
+		name           string
+		userId         string
+		expectResponse bool
+	}{
+		{"Regular user", testing_tools.TestUserId, false},
+		{"Admin user", testing_tools.TestAdminId, true},
+		{"Owner user", testing_tools.TestOwnerId, true},
+		{"Regular service user", testing_tools.TestServiceUserId, false},
+		{"Admin service user", testing_tools.TestServiceAdminId, true},
+		{"Blocked user", testing_tools.BlockedUserId, false},
+		{"Other user", testing_tools.OtherUserId, false},
+		{"Invalid token", testing_tools.InvalidToken, false},
+	}
+
+	for _, user := range users {
+		t.Run(user.name+" - Get all posture checks", func(t *testing.T) {
+			apiHandler, _, done := channel.BuildApiBlackBoxWithDBState(t, "../testdata/posture_checks.sql", nil, true)
+
+			req := testing_tools.BuildRequest(t, []byte{}, http.MethodGet, "/api/posture-checks", user.userId)
+			recorder := httptest.NewRecorder()
+			apiHandler.ServeHTTP(recorder, req)
+
+			content, expectResponse := testing_tools.ReadResponse(t, recorder, http.StatusOK, user.expectResponse)
+			if !expectResponse {
+				return
+			}
+
+			got := []*api.PostureCheck{}
+			if err := json.Unmarshal(content, &got); err != nil {
+				t.Fatalf("Sent content is not in correct json format; %v", err)
+			}
+
+			assert.Equal(t, 1, len(got))
+			assert.Equal(t, "testPostureCheckId", got[0].Id)
+			assert.Equal(t, "NetBird Version Check", got[0].Name)
+
+			select {
+			case <-done:
+			case <-time.After(time.Second):
+				t.Error("timeout waiting for peerShouldNotReceiveUpdate")
+			}
+		})
+	}
+}
+
+func Test_PostureChecks_GetById(t *testing.T) {
+	users := []struct {
+		name           string
+		userId         string
+		expectResponse bool
+	}{
+		{"Regular user", testing_tools.TestUserId, false},
+		{"Admin user", testing_tools.TestAdminId, true},
+		{"Owner user", testing_tools.TestOwnerId, true},
+		{"Regular service user", testing_tools.TestServiceUserId, false},
+		{"Admin service user", testing_tools.TestServiceAdminId, true},
+		{"Blocked user", testing_tools.BlockedUserId, false},
+		{"Other user", testing_tools.OtherUserId, false},
+		{"Invalid token", testing_tools.InvalidToken, false},
+	}
+
+	tt := []struct {
+		name           string
+		postureCheckId string
+		expectedStatus int
+		expectCheck    bool
+	}{
+		{
+			name:           "Get existing posture check",
+			postureCheckId: "testPostureCheckId",
+			expectedStatus: http.StatusOK,
+			expectCheck:    true,
+		},
+		{
+			name:           "Get non-existing posture check",
+			postureCheckId: "nonExistingPostureCheckId",
+			expectedStatus: http.StatusNotFound,
+			expectCheck:    false,
+		},
+	}
+
+	for _, tc := range tt {
+		for _, user := range users {
+			t.Run(user.name+" - "+tc.name, func(t *testing.T) {
+				apiHandler, _, done := channel.BuildApiBlackBoxWithDBState(t, "../testdata/posture_checks.sql", nil, true)
+
+				req := testing_tools.BuildRequest(t, []byte{}, http.MethodGet, strings.Replace("/api/posture-checks/{postureCheckId}", "{postureCheckId}", tc.postureCheckId, 1), user.userId)
+				recorder := httptest.NewRecorder()
+				apiHandler.ServeHTTP(recorder, req)
+
+				content, expectResponse := testing_tools.ReadResponse(t, recorder, tc.expectedStatus, user.expectResponse)
+				if !expectResponse {
+					return
+				}
+
+				if tc.expectCheck {
+					got := &api.PostureCheck{}
+					if err := json.Unmarshal(content, got); err != nil {
+						t.Fatalf("Sent content is not in correct json format; %v", err)
+					}
+					assert.Equal(t, "testPostureCheckId", got.Id)
+					assert.Equal(t, "NetBird Version Check", got.Name)
+				}
+
+				select {
+				case <-done:
+				case <-time.After(time.Second):
+					t.Error("timeout waiting for peerShouldNotReceiveUpdate")
+				}
+			})
+		}
+	}
+}
+
+func Test_PostureChecks_Create(t *testing.T) {
+	users := []struct {
+		name           string
+		userId         string
+		expectResponse bool
+	}{
+		{"Regular user", testing_tools.TestUserId, false},
+		{"Admin user", testing_tools.TestAdminId, true},
+		{"Owner user", testing_tools.TestOwnerId, true},
+		{"Regular service user", testing_tools.TestServiceUserId, false},
+		{"Admin service user", testing_tools.TestServiceAdminId, true},
+		{"Blocked user", testing_tools.BlockedUserId, false},
+		{"Other user", testing_tools.OtherUserId, false},
+		{"Invalid token", testing_tools.InvalidToken, false},
+	}
+
+	minVersion := "0.32.0"
+	tt := []struct {
+		name           string
+		requestBody    *api.PostureCheckUpdate
+		expectedStatus int
+		verifyResponse func(t *testing.T, check *api.PostureCheck)
+	}{
+		{
+			name: "Create posture check with NB version",
+			requestBody: &api.PostureCheckUpdate{
+				Name:        "New Version Check",
+				Description: "check for new version",
+				Checks: &api.Checks{
+					NbVersionCheck: &api.NBVersionCheck{
+						MinVersion: minVersion,
+					},
+				},
+			},
+			expectedStatus: http.StatusOK,
+			verifyResponse: func(t *testing.T, check *api.PostureCheck) {
+				t.Helper()
+				assert.NotEmpty(t, check.Id)
+				assert.Equal(t, "New Version Check", check.Name)
+				assert.NotNil(t, check.Checks.NbVersionCheck)
+				assert.Equal(t, minVersion, check.Checks.NbVersionCheck.MinVersion)
+			},
+		},
+		{
+			name: "Create posture check with empty name",
+			requestBody: &api.PostureCheckUpdate{
+				Name: "",
+				Checks: &api.Checks{
+					NbVersionCheck: &api.NBVersionCheck{
+						MinVersion: "0.32.0",
+					},
+				},
+			},
+			expectedStatus: http.StatusUnprocessableEntity,
+		},
+	}
+
+	for _, tc := range tt {
+		for _, user := range users {
+			t.Run(user.name+" - "+tc.name, func(t *testing.T) {
+				apiHandler, am, _ := channel.BuildApiBlackBoxWithDBState(t, "../testdata/posture_checks.sql", nil, false)
+
+				body, err := json.Marshal(tc.requestBody)
+				if err != nil {
+					t.Fatalf("Failed to marshal request body: %v", err)
+				}
+
+				req := testing_tools.BuildRequest(t, body, http.MethodPost, "/api/posture-checks", user.userId)
+				recorder := httptest.NewRecorder()
+				apiHandler.ServeHTTP(recorder, req)
+
+				content, expectResponse := testing_tools.ReadResponse(t, recorder, tc.expectedStatus, user.expectResponse)
+				if !expectResponse {
+					return
+				}
+
+				if tc.verifyResponse != nil {
+					got := &api.PostureCheck{}
+					if err := json.Unmarshal(content, got); err != nil {
+						t.Fatalf("Sent content is not in correct json format; %v", err)
+					}
+					tc.verifyResponse(t, got)
+
+					db := testing_tools.GetDB(t, am.GetStore())
+					dbCheck := testing_tools.VerifyPostureCheckInDB(t, db, got.Id)
+					assert.Equal(t, got.Name, dbCheck.Name)
+				}
+			})
+		}
+	}
+}
+
+func Test_PostureChecks_Update(t *testing.T) {
+	users := []struct {
+		name           string
+		userId         string
+		expectResponse bool
+	}{
+		{"Regular user", testing_tools.TestUserId, false},
+		{"Admin user", testing_tools.TestAdminId, true},
+		{"Owner user", testing_tools.TestOwnerId, true},
+		{"Regular service user", testing_tools.TestServiceUserId, false},
+		{"Admin service user", testing_tools.TestServiceAdminId, true},
+		{"Blocked user", testing_tools.BlockedUserId, false},
+		{"Other user", testing_tools.OtherUserId, false},
+		{"Invalid token", testing_tools.InvalidToken, false},
+	}
+
+	minVersion := "0.33.0"
+	tt := []struct {
+		name           string
+		postureCheckId string
+		requestBody    *api.PostureCheckUpdate
+		expectedStatus int
+		verifyResponse func(t *testing.T, check *api.PostureCheck)
+	}{
+		{
+			name:           "Update posture check name and version",
+			postureCheckId: "testPostureCheckId",
+			requestBody: &api.PostureCheckUpdate{
+				Name:        "Updated Version Check",
+				Description: "updated description",
+				Checks: &api.Checks{
+					NbVersionCheck: &api.NBVersionCheck{
+						MinVersion: minVersion,
+					},
+				},
+			},
+			expectedStatus: http.StatusOK,
+			verifyResponse: func(t *testing.T, check *api.PostureCheck) {
+				t.Helper()
+				assert.Equal(t, "testPostureCheckId", check.Id)
+				assert.Equal(t, "Updated Version Check", check.Name)
+			},
+		},
+		{
+			name:           "Update non-existing posture check",
+			postureCheckId: "nonExistingPostureCheckId",
+			requestBody: &api.PostureCheckUpdate{
+				Name: "whatever",
+				Checks: &api.Checks{
+					NbVersionCheck: &api.NBVersionCheck{
+						MinVersion: "0.33.0",
+					},
+				},
+			},
+			expectedStatus: http.StatusNotFound,
+		},
+	}
+
+	for _, tc := range tt {
+		for _, user := range users {
+			t.Run(user.name+" - "+tc.name, func(t *testing.T) {
+				apiHandler, am, _ := channel.BuildApiBlackBoxWithDBState(t, "../testdata/posture_checks.sql", nil, false)
+
+				body, err := json.Marshal(tc.requestBody)
+				if err != nil {
+					t.Fatalf("Failed to marshal request body: %v", err)
+				}
+
+				req := testing_tools.BuildRequest(t, body, http.MethodPut, strings.Replace("/api/posture-checks/{postureCheckId}", "{postureCheckId}", tc.postureCheckId, 1), user.userId)
+				recorder := httptest.NewRecorder()
+				apiHandler.ServeHTTP(recorder, req)
+
+				content, expectResponse := testing_tools.ReadResponse(t, recorder, tc.expectedStatus, user.expectResponse)
+				if !expectResponse {
+					return
+				}
+
+				if tc.verifyResponse != nil {
+					got := &api.PostureCheck{}
+					if err := json.Unmarshal(content, got); err != nil {
+						t.Fatalf("Sent content is not in correct json format; %v", err)
+					}
+					tc.verifyResponse(t, got)
+
+					db := testing_tools.GetDB(t, am.GetStore())
+					dbCheck := testing_tools.VerifyPostureCheckInDB(t, db, tc.postureCheckId)
+					assert.Equal(t, "Updated Version Check", dbCheck.Name)
+				}
+			})
+		}
+	}
+}
+
+func Test_PostureChecks_Delete(t *testing.T) {
+	users := []struct {
+		name           string
+		userId         string
+		expectResponse bool
+	}{
+		{"Regular user", testing_tools.TestUserId, false},
+		{"Admin user", testing_tools.TestAdminId, true},
+		{"Owner user", testing_tools.TestOwnerId, true},
+		{"Regular service user", testing_tools.TestServiceUserId, false},
+		{"Admin service user", testing_tools.TestServiceAdminId, true},
+		{"Blocked user", testing_tools.BlockedUserId, false},
+		{"Other user", testing_tools.OtherUserId, false},
+		{"Invalid token", testing_tools.InvalidToken, false},
+	}
+
+	tt := []struct {
+		name           string
+		postureCheckId string
+		expectedStatus int
+	}{
+		{
+			name:           "Delete existing posture check",
+			postureCheckId: "testPostureCheckId",
+			expectedStatus: http.StatusOK,
+		},
+		{
+			name:           "Delete non-existing posture check",
+			postureCheckId: "nonExistingPostureCheckId",
+			expectedStatus: http.StatusNotFound,
+		},
+	}
+
+	for _, tc := range tt {
+		for _, user := range users {
+			t.Run(user.name+" - "+tc.name, func(t *testing.T) {
+				apiHandler, am, _ := channel.BuildApiBlackBoxWithDBState(t, "../testdata/posture_checks.sql", nil, false)
+
+				req := testing_tools.BuildRequest(t, []byte{}, http.MethodDelete, strings.Replace("/api/posture-checks/{postureCheckId}", "{postureCheckId}", tc.postureCheckId, 1), user.userId)
+				recorder := httptest.NewRecorder()
+				apiHandler.ServeHTTP(recorder, req)
+
+				testing_tools.ReadResponse(t, recorder, tc.expectedStatus, user.expectResponse)
+
+				if tc.expectedStatus == http.StatusOK && user.expectResponse {
+					db := testing_tools.GetDB(t, am.GetStore())
+					testing_tools.VerifyPostureCheckNotInDB(t, db, tc.postureCheckId)
+				}
+			})
+		}
+	}
+}

management/server/http/testing/integration/users_approve_reject_handler_integration_test.go

@@ -0,0 +1,124 @@
+//go:build integration
+
+package integration
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/netbirdio/netbird/management/server/http/testing/testing_tools"
+	"github.com/netbirdio/netbird/management/server/http/testing/testing_tools/channel"
+)
+
+func Test_Users_Approve(t *testing.T) {
+	users := []struct {
+		name           string
+		userId         string
+		expectResponse bool
+	}{
+		{"Regular user", testing_tools.TestUserId, false},
+		{"Admin user", testing_tools.TestAdminId, true},
+		{"Owner user", testing_tools.TestOwnerId, true},
+		{"Regular service user", testing_tools.TestServiceUserId, false},
+		{"Admin service user", testing_tools.TestServiceAdminId, true},
+		{"Blocked user", testing_tools.BlockedUserId, false},
+		{"Other user", testing_tools.OtherUserId, false},
+		{"Invalid token", testing_tools.InvalidToken, false},
+	}
+
+	tt := []struct {
+		name           string
+		targetUserId   string
+		expectedStatus int
+	}{
+		{
+			name:           "Approve pending user",
+			targetUserId:   "pendingUserId",
+			expectedStatus: http.StatusOK,
+		},
+		{
+			name:           "Approve non-existing user",
+			targetUserId:   "nonExistingUserId",
+			expectedStatus: http.StatusNotFound,
+		},
+		{
+			name:           "Approve already active user",
+			targetUserId:   testing_tools.TestUserId,
+			expectedStatus: http.StatusUnprocessableEntity,
+		},
+	}
+
+	for _, tc := range tt {
+		for _, user := range users {
+			t.Run(user.name+" - "+tc.name, func(t *testing.T) {
+				apiHandler, _, _ := channel.BuildApiBlackBoxWithDBState(t, "../testdata/users_approve_reject.sql", nil, false)
+
+				req := testing_tools.BuildRequest(t, []byte{}, http.MethodPost, strings.Replace("/api/users/{userId}/approve", "{userId}", tc.targetUserId, 1), user.userId)
+				recorder := httptest.NewRecorder()
+				apiHandler.ServeHTTP(recorder, req)
+
+				testing_tools.ReadResponse(t, recorder, tc.expectedStatus, user.expectResponse)
+			})
+		}
+	}
+}
+
+func Test_Users_Reject(t *testing.T) {
+	users := []struct {
+		name           string
+		userId         string
+		expectResponse bool
+	}{
+		{"Regular user", testing_tools.TestUserId, false},
+		{"Admin user", testing_tools.TestAdminId, true},
+		{"Owner user", testing_tools.TestOwnerId, true},
+		{"Regular service user", testing_tools.TestServiceUserId, false},
+		{"Admin service user", testing_tools.TestServiceAdminId, true},
+		{"Blocked user", testing_tools.BlockedUserId, false},
+		{"Other user", testing_tools.OtherUserId, false},
+		{"Invalid token", testing_tools.InvalidToken, false},
+	}
+
+	tt := []struct {
+		name           string
+		targetUserId   string
+		expectedStatus int
+	}{
+		{
+			name:           "Reject pending user",
+			targetUserId:   "pendingUserId",
+			expectedStatus: http.StatusOK,
+		},
+		{
+			name:           "Reject non-existing user",
+			targetUserId:   "nonExistingUserId",
+			expectedStatus: http.StatusNotFound,
+		},
+		{
+			name:           "Reject non-pending user",
+			targetUserId:   testing_tools.TestUserId,
+			expectedStatus: http.StatusUnprocessableEntity,
+		},
+	}
+
+	for _, tc := range tt {
+		for _, user := range users {
+			t.Run(user.name+" - "+tc.name, func(t *testing.T) {
+				apiHandler, am, _ := channel.BuildApiBlackBoxWithDBState(t, "../testdata/users_approve_reject.sql", nil, false)
+
+				req := testing_tools.BuildRequest(t, []byte{}, http.MethodDelete, strings.Replace("/api/users/{userId}/reject", "{userId}", tc.targetUserId, 1), user.userId)
+				recorder := httptest.NewRecorder()
+				apiHandler.ServeHTTP(recorder, req)
+
+				_, expectResponse := testing_tools.ReadResponse(t, recorder, tc.expectedStatus, user.expectResponse)
+
+				if expectResponse && tc.expectedStatus == http.StatusOK {
+					db := testing_tools.GetDB(t, am.GetStore())
+					testing_tools.VerifyUserNotInDB(t, db, tc.targetUserId)
+				}
+			})
+		}
+	}
+}

management/server/http/testing/testing_tools/db_verify.go

@@ -12,6 +12,7 @@ import (
 	routerTypes "github.com/netbirdio/netbird/management/server/networks/routers/types"
 	networkTypes "github.com/netbirdio/netbird/management/server/networks/types"
 	nbpeer "github.com/netbirdio/netbird/management/server/peer"
+	"github.com/netbirdio/netbird/management/server/posture"
 	"github.com/netbirdio/netbird/management/server/store"
 	"github.com/netbirdio/netbird/management/server/types"
 	"github.com/netbirdio/netbird/route"
@@ -220,3 +221,20 @@ func VerifyNetworkRouterNotInDB(t *testing.T, db *gorm.DB, routerID string) {
 	db.Model(&routerTypes.NetworkRouter{}).Where("id = ? AND account_id = ?", routerID, TestAccountId).Count(&count)
 	assert.Equal(t, int64(0), count, "Expected network router %s to NOT exist in DB", routerID)
 }
+
+// VerifyPostureCheckInDB reads a posture check directly from the DB and returns it.
+func VerifyPostureCheckInDB(t *testing.T, db *gorm.DB, postureCheckID string) *posture.Checks {
+	t.Helper()
+	var check posture.Checks
+	err := db.Where("id = ? AND account_id = ?", postureCheckID, TestAccountId).First(&check).Error
+	require.NoError(t, err, "Expected posture check %s to exist in DB", postureCheckID)
+	return &check
+}
+
+// VerifyPostureCheckNotInDB verifies that a posture check does not exist in the DB.
+func VerifyPostureCheckNotInDB(t *testing.T, db *gorm.DB, postureCheckID string) {
+	t.Helper()
+	var count int64
+	db.Model(&posture.Checks{}).Where("id = ? AND account_id = ?", postureCheckID, TestAccountId).Count(&count)
+	assert.Equal(t, int64(0), count, "Expected posture check %s to NOT exist in DB", postureCheckID)
+}