[SM-919] Add project people access policy management endpoints (#3285)

* Expose access policy discriminators * Add people policy model and auth handler * Add unit tests for authz handler * Add people policies support in repo * Add new endpoints and request/response models * Update tests
2025-06-30 07:36:14 -05:00 · 2023-11-08 11:42:40 -05:00
parent 35500b197d
commit 0ca65e3f9d
17 changed files with 1211 additions and 73 deletions
--- a/test/Api.IntegrationTest/SecretsManager/Controllers/AccessPoliciesControllerTests.cs
+++ b/test/Api.IntegrationTest/SecretsManager/Controllers/AccessPoliciesControllerTests.cs
@ -5,6 +5,8 @@ using Bit.Api.IntegrationTest.SecretsManager.Enums;
 using Bit.Api.Models.Response;
 using Bit.Api.SecretsManager.Models.Request;
 using Bit.Api.SecretsManager.Models.Response;
+using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.SecretsManager.Entities;
@ -25,6 +27,7 @@ public class AccessPoliciesControllerTests : IClassFixture<ApiApplicationFactory
    private readonly ApiApplicationFactory _factory;
    private readonly IProjectRepository _projectRepository;
    private readonly IServiceAccountRepository _serviceAccountRepository;
+    private readonly IGroupRepository _groupRepository;
    private string _email = null!;
    private SecretsManagerOrganizationHelper _organizationHelper = null!;

@ -35,6 +38,7 @@ public class AccessPoliciesControllerTests : IClassFixture<ApiApplicationFactory
        _accessPolicyRepository = _factory.GetService<IAccessPolicyRepository>();
        _serviceAccountRepository = _factory.GetService<IServiceAccountRepository>();
        _projectRepository = _factory.GetService<IProjectRepository>();
+        _groupRepository = _factory.GetService<IGroupRepository>();
    }

    public async Task InitializeAsync()
@ -660,7 +664,7 @@ public class AccessPoliciesControllerTests : IClassFixture<ApiApplicationFactory
    [InlineData(PermissionType.RunAsUserWithPermission)]
    public async Task CreateServiceAccountAccessPolicies_MismatchOrgId_NotFound(PermissionType permissionType)
    {
-        var (org, orgUser) = await _organizationHelper.Initialize(true, true, true);
+        var (_, orgUser) = await _organizationHelper.Initialize(true, true, true);
        await LoginAsync(_email);
        var anotherOrg = await _organizationHelper.CreateSmOrganizationAsync();

@ -904,9 +908,8 @@ public class AccessPoliciesControllerTests : IClassFixture<ApiApplicationFactory
    [InlineData(PermissionType.RunAsUserWithPermission)]
    public async Task CreateServiceAccountGrantedPolicies_MismatchedOrgId_NotFound(PermissionType permissionType)
    {
-        var (org, orgUser) = await _organizationHelper.Initialize(true, true, true);
+        var (org, _) = await _organizationHelper.Initialize(true, true, true);
        await LoginAsync(_email);
-        var ownerOrgUserId = orgUser.Id;

        var (projectId, serviceAccountId) = await CreateProjectAndServiceAccountAsync(org.Id, true);
        await SetupProjectAndServiceAccountPermissionAsync(permissionType, projectId, serviceAccountId);
@ -925,9 +928,8 @@ public class AccessPoliciesControllerTests : IClassFixture<ApiApplicationFactory
    [InlineData(PermissionType.RunAsUserWithPermission)]
    public async Task CreateServiceAccountGrantedPolicies_Success(PermissionType permissionType)
    {
-        var (org, orgUser) = await _organizationHelper.Initialize(true, true, true);
+        var (org, _) = await _organizationHelper.Initialize(true, true, true);
        await LoginAsync(_email);
-        var ownerOrgUserId = orgUser.Id;

        var (projectId, serviceAccountId) = await CreateProjectAndServiceAccountAsync(org.Id);
        await SetupProjectAndServiceAccountPermissionAsync(permissionType, projectId, serviceAccountId);
@ -1051,6 +1053,183 @@ public class AccessPoliciesControllerTests : IClassFixture<ApiApplicationFactory
        Assert.NotNull(result.Data.First().GrantedProjectName);
    }

+    [Theory]
+    [InlineData(false, false, false)]
+    [InlineData(false, false, true)]
+    [InlineData(false, true, false)]
+    [InlineData(false, true, true)]
+    [InlineData(true, false, false)]
+    [InlineData(true, false, true)]
+    [InlineData(true, true, false)]
+    public async Task GetProjectPeopleAccessPolicies_SmAccessDenied_NotFound(bool useSecrets, bool accessSecrets, bool organizationEnabled)
+    {
+        var (org, _) = await _organizationHelper.Initialize(useSecrets, accessSecrets, organizationEnabled);
+        await LoginAsync(_email);
+
+        var initData = await SetupAccessPolicyRequest(org.Id);
+
+        var response = await _client.GetAsync($"/projects/{initData.ProjectId}/access-policies/people");
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task GetProjectPeopleAccessPolicies_ReturnsEmpty()
+    {
+        var (org, _) = await _organizationHelper.Initialize(true, true, true);
+        await LoginAsync(_email);
+
+        var project = await _projectRepository.CreateAsync(new Project
+        {
+            OrganizationId = org.Id,
+            Name = _mockEncryptedString
+        });
+
+        var response = await _client.GetAsync($"/projects/{project.Id}/access-policies/people");
+        response.EnsureSuccessStatusCode();
+
+        var result = await response.Content.ReadFromJsonAsync<ProjectPeopleAccessPoliciesResponseModel>();
+
+        Assert.NotNull(result);
+        Assert.Empty(result!.UserAccessPolicies);
+        Assert.Empty(result.GroupAccessPolicies);
+    }
+
+    [Fact]
+    public async Task GetProjectPeopleAccessPolicies_NoPermission_NotFound()
+    {
+        await _organizationHelper.Initialize(true, true, true);
+        var (email, orgUser) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
+        await LoginAsync(email);
+
+        var project = await _projectRepository.CreateAsync(new Project
+        {
+            OrganizationId = orgUser.OrganizationId,
+            Name = _mockEncryptedString
+        });
+
+        var response = await _client.GetAsync($"/projects/{project.Id}/access-policies/people");
+
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Theory]
+    [InlineData(PermissionType.RunAsAdmin)]
+    [InlineData(PermissionType.RunAsUserWithPermission)]
+    public async Task GetProjectPeopleAccessPolicies_Success(PermissionType permissionType)
+    {
+        var (_, organizationUser) = await _organizationHelper.Initialize(true, true, true);
+        await LoginAsync(_email);
+
+        var (project, _) = await SetupProjectPeoplePermissionAsync(permissionType, organizationUser);
+
+        var response = await _client.GetAsync($"/projects/{project.Id}/access-policies/people");
+        response.EnsureSuccessStatusCode();
+
+        var result = await response.Content.ReadFromJsonAsync<ProjectPeopleAccessPoliciesResponseModel>();
+
+        Assert.NotNull(result?.UserAccessPolicies);
+        Assert.Single(result!.UserAccessPolicies);
+    }
+
+    [Theory]
+    [InlineData(false, false, false)]
+    [InlineData(false, false, true)]
+    [InlineData(false, true, false)]
+    [InlineData(false, true, true)]
+    [InlineData(true, false, false)]
+    [InlineData(true, false, true)]
+    [InlineData(true, true, false)]
+    public async Task PutProjectPeopleAccessPolicies_SmAccessDenied_NotFound(bool useSecrets, bool accessSecrets, bool organizationEnabled)
+    {
+        var (_, organizationUser) = await _organizationHelper.Initialize(useSecrets, accessSecrets, organizationEnabled);
+        await LoginAsync(_email);
+
+        var (project, request) = await SetupProjectPeopleRequestAsync(PermissionType.RunAsAdmin, organizationUser);
+
+        var response = await _client.PutAsJsonAsync($"/projects/{project.Id}/access-policies/people", request);
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task PutProjectPeopleAccessPolicies_NoPermission()
+    {
+        var (org, _) = await _organizationHelper.Initialize(true, true, true);
+        var (email, organizationUser) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
+        await LoginAsync(email);
+
+        var project = await _projectRepository.CreateAsync(new Project
+        {
+            OrganizationId = org.Id,
+            Name = _mockEncryptedString
+        });
+
+        var request = new PeopleAccessPoliciesRequestModel
+        {
+            UserAccessPolicyRequests = new List<AccessPolicyRequest>
+            {
+                new() { GranteeId = organizationUser.Id, Read = true, Write = true }
+            }
+        };
+
+        var response = await _client.PutAsJsonAsync($"/projects/{project.Id}/access-policies/people", request);
+
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Theory]
+    [InlineData(PermissionType.RunAsAdmin)]
+    [InlineData(PermissionType.RunAsUserWithPermission)]
+    public async Task PutProjectPeopleAccessPolicies_MismatchedOrgIds_NotFound(PermissionType permissionType)
+    {
+        var (_, organizationUser) = await _organizationHelper.Initialize(true, true, true);
+        await LoginAsync(_email);
+
+        var (project, request) = await SetupProjectPeopleRequestAsync(permissionType, organizationUser);
+        var newOrg = await _organizationHelper.CreateSmOrganizationAsync();
+        var group = await _groupRepository.CreateAsync(new Group
+        {
+            OrganizationId = newOrg.Id,
+            Name = _mockEncryptedString
+        });
+        request.GroupAccessPolicyRequests = new List<AccessPolicyRequest>
+        {
+            new() { GranteeId = group.Id, Read = true, Write = true }
+        };
+
+        var response = await _client.PutAsJsonAsync($"/projects/{project.Id}/access-policies/people", request);
+
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Theory]
+    [InlineData(PermissionType.RunAsAdmin)]
+    [InlineData(PermissionType.RunAsUserWithPermission)]
+    public async Task PutProjectPeopleAccessPolicies_Success(PermissionType permissionType)
+    {
+        var (_, organizationUser) = await _organizationHelper.Initialize(true, true, true);
+        await LoginAsync(_email);
+
+        var (project, request) = await SetupProjectPeopleRequestAsync(permissionType, organizationUser);
+
+        var response = await _client.PutAsJsonAsync($"/projects/{project.Id}/access-policies/people", request);
+        response.EnsureSuccessStatusCode();
+
+        var result = await response.Content.ReadFromJsonAsync<ProjectPeopleAccessPoliciesResponseModel>();
+
+        Assert.NotNull(result);
+        Assert.Equal(request.UserAccessPolicyRequests.First().GranteeId,
+            result!.UserAccessPolicies.First().OrganizationUserId);
+        Assert.True(result.UserAccessPolicies.First().Read);
+        Assert.True(result.UserAccessPolicies.First().Write);
+
+        var createdAccessPolicy =
+            await _accessPolicyRepository.GetByIdAsync(result.UserAccessPolicies.First().Id);
+        Assert.NotNull(createdAccessPolicy);
+        Assert.Equal(result.UserAccessPolicies.First().Read, createdAccessPolicy!.Read);
+        Assert.Equal(result.UserAccessPolicies.First().Write, createdAccessPolicy.Write);
+        Assert.Equal(result.UserAccessPolicies.First().Id, createdAccessPolicy.Id);
+    }
+
    private async Task<RequestSetupData> SetupAccessPolicyRequest(Guid organizationId)
    {
        var project = await _projectRepository.CreateAsync(new Project
@ -1082,6 +1261,52 @@ public class AccessPoliciesControllerTests : IClassFixture<ApiApplicationFactory
        };
    }

+    private async Task<(Project project, OrganizationUser currentUser)> SetupProjectPeoplePermissionAsync(
+        PermissionType permissionType,
+        OrganizationUser organizationUser)
+    {
+        var project = await _projectRepository.CreateAsync(new Project
+        {
+            OrganizationId = organizationUser.OrganizationId,
+            Name = _mockEncryptedString
+        });
+
+        if (permissionType == PermissionType.RunAsUserWithPermission)
+        {
+            var (email, orgUser) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
+            await LoginAsync(email);
+            organizationUser = orgUser;
+        }
+
+        var accessPolicies = new List<BaseAccessPolicy>
+        {
+            new UserProjectAccessPolicy
+            {
+                GrantedProjectId = project.Id,
+                OrganizationUserId = organizationUser.Id,
+                Read = true,
+                Write = true
+            }
+        };
+        await _accessPolicyRepository.CreateManyAsync(accessPolicies);
+
+        return (project, organizationUser);
+    }
+
+    private async Task<(Project project, PeopleAccessPoliciesRequestModel request)> SetupProjectPeopleRequestAsync(
+        PermissionType permissionType, OrganizationUser organizationUser)
+    {
+        var (project, currentUser) = await SetupProjectPeoplePermissionAsync(permissionType, organizationUser);
+        var request = new PeopleAccessPoliciesRequestModel
+        {
+            UserAccessPolicyRequests = new List<AccessPolicyRequest>
+            {
+                new() { GranteeId = currentUser.Id, Read = true, Write = true }
+            }
+        };
+        return (project, request);
+    }
+
    private async Task<(Guid ProjectId, Guid ServiceAccountId)> CreateProjectAndServiceAccountAsync(Guid organizationId,
        bool misMatchOrganization = false)
    {
--- a/test/Api.Test/SecretsManager/Controllers/AccessPoliciesControllerTests.cs
+++ b/test/Api.Test/SecretsManager/Controllers/AccessPoliciesControllerTests.cs
@ -2,14 +2,12 @@
 using Bit.Api.SecretsManager.Controllers;
 using Bit.Api.SecretsManager.Models.Request;
 using Bit.Api.Test.SecretsManager.Enums;
-using Bit.Core.AdminConsole.Entities;
-using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
-using Bit.Core.Repositories;
 using Bit.Core.SecretsManager.Commands.AccessPolicies.Interfaces;
 using Bit.Core.SecretsManager.Entities;
+using Bit.Core.SecretsManager.Models.Data;
 using Bit.Core.SecretsManager.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Test.SecretsManager.AutoFixture.ProjectsFixture;
@ -806,14 +804,17 @@ public class AccessPoliciesControllerTests
        Guid id)
    {
        SetupPermission(sutProvider, permissionType, id);
+        sutProvider.GetDependency<IAccessPolicyRepository>().GetPeopleGranteesAsync(default, default)
+            .ReturnsForAnyArgs(new PeopleGrantees
+            {
+                UserGrantees = new List<UserGrantee>(),
+                GroupGrantees = new List<GroupGrantee>()
+            });
+
        var result = await sutProvider.Sut.GetPeoplePotentialGranteesAsync(id);

-        await sutProvider.GetDependency<IGroupRepository>().Received(1)
-            .GetManyByOrganizationIdAsync(Arg.Is(AssertHelper.AssertPropertyEqual(id)));
-
-        await sutProvider.GetDependency<IOrganizationUserRepository>().Received(1)
-            .GetManyDetailsByOrganizationAsync(Arg.Is(AssertHelper.AssertPropertyEqual(id)));
-
+        await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1)
+            .GetPeopleGranteesAsync(id, Arg.Any<Guid>());
        Assert.Empty(result.Data);
    }

@ -826,17 +827,17 @@ public class AccessPoliciesControllerTests
        sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(id).Returns(false);
        sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(default).ReturnsForAnyArgs(false);
        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
+        sutProvider.GetDependency<IAccessPolicyRepository>().GetPeopleGranteesAsync(default, default)
+            .ReturnsForAnyArgs(new PeopleGrantees
+            {
+                UserGrantees = new List<UserGrantee>(),
+                GroupGrantees = new List<GroupGrantee>()
+            });

        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.GetPeoplePotentialGranteesAsync(id));

-        await sutProvider.GetDependency<IGroupRepository>().DidNotReceiveWithAnyArgs()
-            .GetManyByOrganizationIdAsync(Arg.Any<Guid>());
-
-        await sutProvider.GetDependency<IOrganizationUserRepository>().DidNotReceiveWithAnyArgs()
-            .GetManyDetailsByOrganizationAsync(Arg.Any<Guid>());
-
-        await sutProvider.GetDependency<IServiceAccountRepository>().DidNotReceiveWithAnyArgs()
-            .GetManyByOrganizationIdWriteAccessAsync(Arg.Any<Guid>(), Arg.Any<Guid>(), Arg.Any<AccessClientType>());
+        await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs()
+            .GetPeopleGranteesAsync(id, Arg.Any<Guid>());
    }

    [Theory]
@ -846,19 +847,20 @@ public class AccessPoliciesControllerTests
        PermissionType permissionType,
        SutProvider<AccessPoliciesController> sutProvider,
        Guid id,
-        Group mockGroup)
+        GroupGrantee groupGrantee)
    {
        SetupPermission(sutProvider, permissionType, id);
-        sutProvider.GetDependency<IGroupRepository>().GetManyByOrganizationIdAsync(default)
-            .ReturnsForAnyArgs(new List<Group> { mockGroup });
+        sutProvider.GetDependency<IAccessPolicyRepository>().GetPeopleGranteesAsync(default, default)
+            .ReturnsForAnyArgs(new PeopleGrantees
+            {
+                UserGrantees = new List<UserGrantee>(),
+                GroupGrantees = new List<GroupGrantee> { groupGrantee }
+            });

        var result = await sutProvider.Sut.GetPeoplePotentialGranteesAsync(id);

-        await sutProvider.GetDependency<IGroupRepository>().Received(1)
-            .GetManyByOrganizationIdAsync(Arg.Is(AssertHelper.AssertPropertyEqual(id)));
-
-        await sutProvider.GetDependency<IOrganizationUserRepository>().Received(1)
-            .GetManyDetailsByOrganizationAsync(Arg.Is(AssertHelper.AssertPropertyEqual(id)));
+        await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1)
+            .GetPeopleGranteesAsync(id, Arg.Any<Guid>());

        Assert.NotEmpty(result.Data);
    }
@ -980,4 +982,195 @@ public class AccessPoliciesControllerTests

        Assert.NotEmpty(result.Data);
    }
+
+    [Theory]
+    [BitAutoData(PermissionType.RunAsAdmin)]
+    [BitAutoData(PermissionType.RunAsUserWithPermission)]
+    public async void GetProjectPeopleAccessPolicies_ReturnsEmptyList(
+        PermissionType permissionType,
+        SutProvider<AccessPoliciesController> sutProvider,
+        Guid id, Project data)
+    {
+        sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(default).ReturnsForAnyArgs(data);
+
+        switch (permissionType)
+        {
+            case PermissionType.RunAsAdmin:
+                SetupAdmin(sutProvider, data.OrganizationId);
+                sutProvider.GetDependency<IProjectRepository>().AccessToProjectAsync(Arg.Any<Guid>(), Arg.Any<Guid>(),
+                        AccessClientType.NoAccessCheck)
+                    .Returns((true, true));
+                break;
+            case PermissionType.RunAsUserWithPermission:
+                SetupUserWithPermission(sutProvider, data.OrganizationId);
+                sutProvider.GetDependency<IProjectRepository>()
+                    .AccessToProjectAsync(Arg.Any<Guid>(), Arg.Any<Guid>(), AccessClientType.User)
+                    .Returns((true, true));
+                break;
+        }
+
+        var result = await sutProvider.Sut.GetProjectPeopleAccessPoliciesAsync(id);
+
+        await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1)
+            .GetPeoplePoliciesByGrantedProjectIdAsync(Arg.Is(AssertHelper.AssertPropertyEqual(id)), Arg.Any<Guid>());
+
+        Assert.Empty(result.GroupAccessPolicies);
+        Assert.Empty(result.UserAccessPolicies);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async void GetProjectPeopleAccessPolicies_UserWithoutPermission_Throws(
+        SutProvider<AccessPoliciesController> sutProvider,
+        Guid id,
+        Project data)
+    {
+        SetupUserWithoutPermission(sutProvider, data.OrganizationId);
+        sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(default).ReturnsForAnyArgs(data);
+        sutProvider.GetDependency<IProjectRepository>().AccessToProjectAsync(default, default, default)
+            .Returns((false, false));
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.GetProjectPeopleAccessPoliciesAsync(id));
+
+        await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs()
+            .GetPeoplePoliciesByGrantedProjectIdAsync(Arg.Any<Guid>(), Arg.Any<Guid>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async void GetProjectPeopleAccessPolicies_ProjectsExist_UserWithoutPermission_Throws(
+        SutProvider<AccessPoliciesController> sutProvider,
+        Guid id,
+        Project data,
+        UserProjectAccessPolicy resultAccessPolicy)
+    {
+        SetupUserWithoutPermission(sutProvider, data.OrganizationId);
+        sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(default).ReturnsForAnyArgs(data);
+        sutProvider.GetDependency<IProjectRepository>().AccessToProjectAsync(default, default, default)
+            .Returns((false, false));
+
+        sutProvider.GetDependency<IAccessPolicyRepository>().GetPeoplePoliciesByGrantedProjectIdAsync(default, default)
+            .ReturnsForAnyArgs(new List<BaseAccessPolicy> { resultAccessPolicy });
+
+        await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.GetProjectPeopleAccessPoliciesAsync(id));
+
+        await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs()
+            .GetPeoplePoliciesByGrantedProjectIdAsync(Arg.Any<Guid>(), Arg.Any<Guid>());
+    }
+
+    [Theory]
+    [BitAutoData(PermissionType.RunAsAdmin)]
+    [BitAutoData(PermissionType.RunAsUserWithPermission)]
+    public async void GetProjectPeopleAccessPolicies_Success(
+        PermissionType permissionType,
+        SutProvider<AccessPoliciesController> sutProvider,
+        Guid id,
+        Project data,
+        UserProjectAccessPolicy resultUserPolicy,
+        GroupProjectAccessPolicy resultGroupPolicy)
+    {
+        sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(default).ReturnsForAnyArgs(data);
+        switch (permissionType)
+        {
+            case PermissionType.RunAsAdmin:
+                SetupAdmin(sutProvider, data.OrganizationId);
+                sutProvider.GetDependency<IProjectRepository>().AccessToProjectAsync(Arg.Any<Guid>(), Arg.Any<Guid>(),
+                        AccessClientType.NoAccessCheck)
+                    .Returns((true, true));
+                break;
+            case PermissionType.RunAsUserWithPermission:
+                SetupUserWithPermission(sutProvider, data.OrganizationId);
+                sutProvider.GetDependency<IProjectRepository>()
+                    .AccessToProjectAsync(Arg.Any<Guid>(), Arg.Any<Guid>(), AccessClientType.User)
+                    .Returns((true, true));
+                break;
+        }
+
+        sutProvider.GetDependency<IAccessPolicyRepository>().GetPeoplePoliciesByGrantedProjectIdAsync(default, default)
+            .ReturnsForAnyArgs(new List<BaseAccessPolicy> { resultUserPolicy, resultGroupPolicy });
+
+        var result = await sutProvider.Sut.GetProjectPeopleAccessPoliciesAsync(id);
+
+        await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1)
+            .GetPeoplePoliciesByGrantedProjectIdAsync(Arg.Is(AssertHelper.AssertPropertyEqual(id)), Arg.Any<Guid>());
+
+        Assert.NotEmpty(result.GroupAccessPolicies);
+        Assert.NotEmpty(result.UserAccessPolicies);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async void PutProjectPeopleAccessPolicies_ProjectDoesNotExist_Throws(
+        SutProvider<AccessPoliciesController> sutProvider,
+        Guid id,
+        PeopleAccessPoliciesRequestModel request)
+    {
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.PutProjectPeopleAccessPoliciesAsync(id, request));
+
+        await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs()
+            .ReplaceProjectPeopleAsync(Arg.Any<ProjectPeopleAccessPolicies>(), Arg.Any<Guid>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async void PutProjectPeopleAccessPoliciesAsync_DuplicatePolicy_Throws(
+        SutProvider<AccessPoliciesController> sutProvider,
+        Project project,
+        PeopleAccessPoliciesRequestModel request)
+    {
+        var dup = new AccessPolicyRequest { GranteeId = Guid.NewGuid(), Read = true, Write = true };
+        request.UserAccessPolicyRequests = new[] { dup, dup };
+        sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(default).ReturnsForAnyArgs(project);
+
+        await Assert.ThrowsAsync<BadRequestException>(() =>
+            sutProvider.Sut.PutProjectPeopleAccessPoliciesAsync(project.Id, request));
+
+        await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs()
+            .ReplaceProjectPeopleAsync(Arg.Any<ProjectPeopleAccessPolicies>(), Arg.Any<Guid>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async void PutProjectPeopleAccessPoliciesAsync_NoAccess_Throws(
+        SutProvider<AccessPoliciesController> sutProvider,
+        Project project,
+        PeopleAccessPoliciesRequestModel request)
+    {
+        sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(default).ReturnsForAnyArgs(project);
+        var peoplePolicies = request.ToProjectPeopleAccessPolicies(project.Id, project.OrganizationId);
+        sutProvider.GetDependency<IAuthorizationService>()
+            .AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), peoplePolicies,
+                Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Failed());
+
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.PutProjectPeopleAccessPoliciesAsync(project.Id, request));
+
+        await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs()
+            .ReplaceProjectPeopleAsync(Arg.Any<ProjectPeopleAccessPolicies>(), Arg.Any<Guid>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async void PutProjectPeopleAccessPoliciesAsync_Success(
+        SutProvider<AccessPoliciesController> sutProvider,
+        Guid userId,
+        Project project,
+        PeopleAccessPoliciesRequestModel request)
+    {
+        sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(default).ReturnsForAnyArgs(project);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        var peoplePolicies = request.ToProjectPeopleAccessPolicies(project.Id, project.OrganizationId);
+        sutProvider.GetDependency<IAuthorizationService>()
+            .AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), peoplePolicies,
+                Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Success());
+
+        sutProvider.GetDependency<IAccessPolicyRepository>().ReplaceProjectPeopleAsync(peoplePolicies, Arg.Any<Guid>())
+            .Returns(peoplePolicies.ToBaseAccessPolicies());
+
+        await sutProvider.Sut.PutProjectPeopleAccessPoliciesAsync(project.Id, request);
+
+        await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1)
+            .ReplaceProjectPeopleAsync(Arg.Any<ProjectPeopleAccessPolicies>(), Arg.Any<Guid>());
+    }
 }