[SM-706] Extract Authorization From Create/Update Secret Commands (#2896)

* Extract authorization from commands * Swap to request model validation. * Swap to pattern detection
2025-06-30 15:42:48 -05:00 · 2023-06-08 16:40:35 -05:00
parent 6a9e7a1d0a
commit 05f11a8ee1
15 changed files with 674 additions and 231 deletions
--- a/test/Api.Test/SecretsManager/Controllers/SecretsControllerTests.cs
+++ b/test/Api.Test/SecretsManager/Controllers/SecretsControllerTests.cs
@ -1,4 +1,5 @@
-using Bit.Api.SecretsManager.Controllers;
+using System.Security.Claims;
+using Bit.Api.SecretsManager.Controllers;
 using Bit.Api.SecretsManager.Models.Request;
 using Bit.Api.Test.SecretsManager.Enums;
 using Bit.Core.Context;
@ -13,6 +14,7 @@ using Bit.Core.Test.SecretsManager.AutoFixture.SecretsFixture;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Bit.Test.Common.Helpers;
+using Microsoft.AspNetCore.Authorization;
 using NSubstitute;
 using Xunit;

@ -125,9 +127,8 @@ public class SecretsControllerTests
    }

    [Theory]
-    [BitAutoData(PermissionType.RunAsAdmin)]
-    [BitAutoData(PermissionType.RunAsUserWithPermission)]
-    public async void CreateSecret_Success(PermissionType permissionType, SutProvider<SecretsController> sutProvider, SecretCreateRequestModel data, Guid organizationId, Project mockProject, Guid userId)
+    [BitAutoData]
+    public async void CreateSecret_NoAccess_Throws(SutProvider<SecretsController> sutProvider, SecretCreateRequestModel data, Guid organizationId, Guid userId)
    {
        // We currently only allow a secret to be in one project at a time
        if (data.ProjectIds != null && data.ProjectIds.Length > 1)
@ -135,33 +136,23 @@ public class SecretsControllerTests
            data.ProjectIds = new Guid[] { data.ProjectIds.ElementAt(0) };
        }

+        sutProvider.GetDependency<IAuthorizationService>()
+            .AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), data.ToSecret(organizationId),
+                Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Failed());
+
        var resultSecret = data.ToSecret(organizationId);
        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);

-        if (permissionType == PermissionType.RunAsAdmin)
-        {
-            sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(organizationId).Returns(true);
-        }
-        else
-        {
-            resultSecret.Projects = new List<Core.SecretsManager.Entities.Project>() { mockProject };
-            sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(organizationId).Returns(false);
-            sutProvider.GetDependency<IProjectRepository>().AccessToProjectAsync(Arg.Any<Guid>(), Arg.Any<Guid>(), AccessClientType.User)
-                .Returns((true, true));
-        }
+        sutProvider.GetDependency<ICreateSecretCommand>().CreateAsync(default).ReturnsForAnyArgs(resultSecret);

-        sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(organizationId).Returns(true);
-        sutProvider.GetDependency<ICreateSecretCommand>().CreateAsync(default, userId).ReturnsForAnyArgs(resultSecret);
-
-        var result = await sutProvider.Sut.CreateAsync(organizationId, data);
-        await sutProvider.GetDependency<ICreateSecretCommand>().Received(1)
-                     .CreateAsync(Arg.Any<Secret>(), userId);
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.CreateAsync(organizationId, data));
+        await sutProvider.GetDependency<ICreateSecretCommand>().DidNotReceiveWithAnyArgs()
+            .CreateAsync(Arg.Any<Secret>());
    }

    [Theory]
-    [BitAutoData(PermissionType.RunAsAdmin)]
-    [BitAutoData(PermissionType.RunAsUserWithPermission)]
-    public async void UpdateSecret_Success(PermissionType permissionType, SutProvider<SecretsController> sutProvider, SecretUpdateRequestModel data, Guid secretId, Guid organizationId, Guid userId, Project mockProject)
+    [BitAutoData]
+    public async void CreateSecret_Success(SutProvider<SecretsController> sutProvider, SecretCreateRequestModel data, Guid organizationId, Guid userId)
    {
        // We currently only allow a secret to be in one project at a time
        if (data.ProjectIds != null && data.ProjectIds.Length > 1)
@ -169,26 +160,87 @@ public class SecretsControllerTests
            data.ProjectIds = new Guid[] { data.ProjectIds.ElementAt(0) };
        }

+        sutProvider.GetDependency<IAuthorizationService>()
+            .AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), data.ToSecret(organizationId),
+                Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Success());
+
+        var resultSecret = data.ToSecret(organizationId);
        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);

-        if (permissionType == PermissionType.RunAsAdmin)
+        sutProvider.GetDependency<ICreateSecretCommand>().CreateAsync(default).ReturnsForAnyArgs(resultSecret);
+
+        await sutProvider.Sut.CreateAsync(organizationId, data);
+
+        await sutProvider.GetDependency<ICreateSecretCommand>().Received(1)
+            .CreateAsync(Arg.Any<Secret>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async void UpdateSecret_NoAccess_Throws(SutProvider<SecretsController> sutProvider, SecretUpdateRequestModel data, Guid secretId, Guid organizationId, Secret mockSecret)
+    {
+        // We currently only allow a secret to be in one project at a time
+        if (data.ProjectIds != null && data.ProjectIds.Length > 1)
        {
-            sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(organizationId).Returns(true);
-        }
-        else
-        {
-            data.ProjectIds = new Guid[] { mockProject.Id };
-            sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(organizationId).Returns(false);
-            sutProvider.GetDependency<IProjectRepository>().AccessToProjectAsync(default, default, default)
-                .Returns((true, true));
+            data.ProjectIds = new Guid[] { data.ProjectIds.ElementAt(0) };
        }

-        var resultSecret = data.ToSecret(secretId);
-        sutProvider.GetDependency<IUpdateSecretCommand>().UpdateAsync(default, userId).ReturnsForAnyArgs(resultSecret);
+        sutProvider.GetDependency<IAuthorizationService>()
+            .AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), data.ToSecret(secretId, organizationId),
+                Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Failed());
+        sutProvider.GetDependency<ISecretRepository>().GetByIdAsync(secretId).ReturnsForAnyArgs(mockSecret);

-        var result = await sutProvider.Sut.UpdateSecretAsync(secretId, data);
+        var resultSecret = data.ToSecret(secretId, organizationId);
+        sutProvider.GetDependency<IUpdateSecretCommand>().UpdateAsync(default).ReturnsForAnyArgs(resultSecret);
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.UpdateSecretAsync(secretId, data));
+        await sutProvider.GetDependency<IUpdateSecretCommand>().DidNotReceiveWithAnyArgs()
+            .UpdateAsync(Arg.Any<Secret>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async void UpdateSecret_SecretDoesNotExist_Throws(SutProvider<SecretsController> sutProvider, SecretUpdateRequestModel data, Guid secretId, Guid organizationId)
+    {
+        // We currently only allow a secret to be in one project at a time
+        if (data.ProjectIds != null && data.ProjectIds.Length > 1)
+        {
+            data.ProjectIds = new Guid[] { data.ProjectIds.ElementAt(0) };
+        }
+
+        sutProvider.GetDependency<IAuthorizationService>()
+            .AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), data.ToSecret(secretId, organizationId),
+                Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Failed());
+
+        var resultSecret = data.ToSecret(secretId, organizationId);
+        sutProvider.GetDependency<IUpdateSecretCommand>().UpdateAsync(default).ReturnsForAnyArgs(resultSecret);
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.UpdateSecretAsync(secretId, data));
+        await sutProvider.GetDependency<IUpdateSecretCommand>().DidNotReceiveWithAnyArgs()
+            .UpdateAsync(Arg.Any<Secret>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async void UpdateSecret_Success(SutProvider<SecretsController> sutProvider, SecretUpdateRequestModel data, Guid secretId, Guid organizationId, Secret mockSecret)
+    {
+        // We currently only allow a secret to be in one project at a time
+        if (data.ProjectIds != null && data.ProjectIds.Length > 1)
+        {
+            data.ProjectIds = new Guid[] { data.ProjectIds.ElementAt(0) };
+        }
+
+        sutProvider.GetDependency<IAuthorizationService>()
+            .AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), data.ToSecret(secretId, organizationId),
+                Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Success());
+        sutProvider.GetDependency<ISecretRepository>().GetByIdAsync(secretId).ReturnsForAnyArgs(mockSecret);
+
+        var resultSecret = data.ToSecret(secretId, organizationId);
+        sutProvider.GetDependency<IUpdateSecretCommand>().UpdateAsync(default).ReturnsForAnyArgs(resultSecret);
+
+        await sutProvider.Sut.UpdateSecretAsync(secretId, data);
        await sutProvider.GetDependency<IUpdateSecretCommand>().Received(1)
-                     .UpdateAsync(Arg.Any<Secret>(), userId);
+            .UpdateAsync(Arg.Any<Secret>());
    }

    [Theory]