[SM-654] Add support for direct secret permissions at the repo layer (#4156)

* calculate direct secret permissions at the repo layer * Add integration tests for service account secret access count
2025-06-30 15:42:48 -05:00 · 2024-06-20 10:40:24 -05:00
parent 7f496e7399
commit 0e6e461602
4 changed files with 295 additions and 80 deletions
--- a/test/Api.IntegrationTest/SecretsManager/Controllers/ServiceAccountsControllerTests.cs
+++ b/test/Api.IntegrationTest/SecretsManager/Controllers/ServiceAccountsControllerTests.cs
@ -29,6 +29,8 @@ public class ServiceAccountsControllerTests : IClassFixture<ApiApplicationFactor
    private readonly IAccessPolicyRepository _accessPolicyRepository;
    private readonly IApiKeyRepository _apiKeyRepository;
    private readonly IServiceAccountRepository _serviceAccountRepository;
+    private readonly IProjectRepository _projectRepository;
+    private readonly ISecretRepository _secretRepository;

    private string _email = null!;
    private SecretsManagerOrganizationHelper _organizationHelper = null!;
@ -40,6 +42,8 @@ public class ServiceAccountsControllerTests : IClassFixture<ApiApplicationFactor
        _serviceAccountRepository = _factory.GetService<IServiceAccountRepository>();
        _accessPolicyRepository = _factory.GetService<IAccessPolicyRepository>();
        _apiKeyRepository = _factory.GetService<IApiKeyRepository>();
+        _secretRepository = _factory.GetService<ISecretRepository>();
+        _projectRepository = _factory.GetService<IProjectRepository>();
        _loginHelper = new LoginHelper(_factory, _client);
    }

@ -73,51 +77,90 @@ public class ServiceAccountsControllerTests : IClassFixture<ApiApplicationFactor
        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
    }

-    [Fact]
-    public async Task ListByOrganization_Admin_Success()
+    [Theory]
+    [InlineData(PermissionType.RunAsAdmin)]
+    [InlineData(PermissionType.RunAsUserWithPermission)]
+    public async Task ListByOrganization_NoSecretAccess_Success(PermissionType permissionType)
    {
-        var (org, _) = await _organizationHelper.Initialize(true, true, true);
-        await _loginHelper.LoginAsync(_email);
+        var (orgId, serviceAccountIds) = await SetupListByOrganizationRequestAsync(permissionType);

-        var serviceAccountIds = await SetupGetServiceAccountsByOrganizationAsync(org);
-
-        var response = await _client.GetAsync($"/organizations/{org.Id}/service-accounts");
+        var response = await _client.GetAsync($"/organizations/{orgId}/service-accounts");
        response.EnsureSuccessStatusCode();
-        var result = await response.Content.ReadFromJsonAsync<ListResponseModel<ServiceAccountResponseModel>>();
+        var result = await response.Content
+            .ReadFromJsonAsync<ListResponseModel<ServiceAccountSecretsDetailsResponseModel>>();

        Assert.NotNull(result);
        Assert.NotEmpty(result.Data);
        Assert.Equal(serviceAccountIds.Count, result.Data.Count());
+        Assert.DoesNotContain(result.Data, x => x.AccessToSecrets != 0);
    }

-    [Fact]
-    public async Task ListByOrganization_User_Success()
+    [Theory]
+    [InlineData(PermissionType.RunAsAdmin)]
+    [InlineData(PermissionType.RunAsUserWithPermission)]
+    public async Task ListByOrganization_SecretAccess_Success(PermissionType permissionType)
    {
-        var (org, _) = await _organizationHelper.Initialize(true, true, true);
-        var (email, orgUser) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
-        await _loginHelper.LoginAsync(email);
+        var (orgId, serviceAccountIds) = await SetupListByOrganizationRequestAsync(permissionType);
+        var expectedAccess = await SetupServiceAccountSecretAccessAsync(serviceAccountIds, orgId);

-        var serviceAccountIds = await SetupGetServiceAccountsByOrganizationAsync(org);
-
-        // Setup access for two
-        var accessPolicies = serviceAccountIds.Take(2).Select(
-            id => new UserServiceAccountAccessPolicy
-            {
-                OrganizationUserId = orgUser.Id,
-                GrantedServiceAccountId = id,
-                Read = true,
-                Write = false,
-            }).Cast<BaseAccessPolicy>().ToList();
-
-        await _accessPolicyRepository.CreateManyAsync(accessPolicies);
-
-        var response = await _client.GetAsync($"/organizations/{org.Id}/service-accounts");
+        var response = await _client.GetAsync($"/organizations/{orgId}/service-accounts?includeAccessToSecrets=true");
        response.EnsureSuccessStatusCode();
-        var result = await response.Content.ReadFromJsonAsync<ListResponseModel<ServiceAccountResponseModel>>();
+        var result = await response.Content
+            .ReadFromJsonAsync<ListResponseModel<ServiceAccountSecretsDetailsResponseModel>>();

        Assert.NotNull(result);
        Assert.NotEmpty(result.Data);
-        Assert.Equal(2, result.Data.Count());
+        Assert.Equal(serviceAccountIds.Count, result.Data.Count());
+
+        foreach (var item in expectedAccess)
+        {
+            var serviceAccountResult = result.Data.FirstOrDefault(x => x.Id == item.Key);
+            Assert.NotNull(serviceAccountResult);
+            Assert.Equal(item.Value, serviceAccountResult.AccessToSecrets);
+        }
+    }
+
+    [Theory]
+    [InlineData(false)]
+    [InlineData(true)]
+    public async Task ListByOrganization_UserPartialAccess_ReturnsServiceAccountsUserHasAccessTo(
+        bool includeAccessToSecrets)
+    {
+        var (orgId, serviceAccountIds) =
+            await SetupListByOrganizationRequestAsync(PermissionType.RunAsUserWithPermission);
+        var expectedAccess = await SetupServiceAccountSecretAccessAsync(serviceAccountIds, orgId);
+
+        var serviceAccountWithoutAccess = await _serviceAccountRepository.CreateAsync(new ServiceAccount
+        {
+            OrganizationId = orgId,
+            Name = _mockEncryptedString
+        });
+
+        var response =
+            await _client.GetAsync(
+                $"/organizations/{orgId}/service-accounts?includeAccessToSecrets={includeAccessToSecrets}");
+        response.EnsureSuccessStatusCode();
+        var result = await response.Content
+            .ReadFromJsonAsync<ListResponseModel<ServiceAccountSecretsDetailsResponseModel>>();
+
+        Assert.NotNull(result);
+        Assert.NotEmpty(result.Data);
+        Assert.Equal(serviceAccountIds.Count, result.Data.Count());
+        Assert.DoesNotContain(result.Data, x => x.Id == serviceAccountWithoutAccess.Id);
+
+        if (includeAccessToSecrets)
+        {
+            foreach (var item in expectedAccess)
+            {
+                var serviceAccountResult = result.Data.FirstOrDefault(x => x.Id == item.Key);
+                Assert.NotNull(serviceAccountResult);
+                Assert.Equal(item.Value, serviceAccountResult.AccessToSecrets);
+            }
+        }
+        else
+        {
+            Assert.Contains(result.Data, x => x.AccessToSecrets == 0);
+        }
    }

    [Theory]
@ -824,10 +867,10 @@ public class ServiceAccountsControllerTests : IClassFixture<ApiApplicationFactor
        await _accessPolicyRepository.CreateManyAsync(new List<BaseAccessPolicy> { policy });
    }

-    private async Task<List<Guid>> SetupGetServiceAccountsByOrganizationAsync(Organization org)
+    private async Task<List<Guid>> CreateServiceAccountsInOrganizationAsync(Organization org)
    {
        var serviceAccountIds = new List<Guid>();
-        for (var i = 0; i < 3; i++)
+        for (var i = 0; i < 4; i++)
        {
            var serviceAccount = await _serviceAccountRepository.CreateAsync(new ServiceAccount
            {
@ -870,4 +913,109 @@ public class ServiceAccountsControllerTests : IClassFixture<ApiApplicationFactor

        return initialServiceAccount;
    }
+
+    private async Task<(Guid OrganizationId, List<Guid> ServiceAccountIds)> SetupListByOrganizationRequestAsync(PermissionType permissionType)
+    {
+        var (org, _) = await _organizationHelper.Initialize(true, true, true);
+        await _loginHelper.LoginAsync(_email);
+
+        var serviceAccountIds = await CreateServiceAccountsInOrganizationAsync(org);
+
+        if (permissionType == PermissionType.RunAsAdmin)
+        {
+            return (org.Id, serviceAccountIds);
+        }
+
+        var (email, orgUser) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
+        await _loginHelper.LoginAsync(email);
+
+        var accessPolicies = serviceAccountIds.Select(
+            id => new UserServiceAccountAccessPolicy
+            {
+                OrganizationUserId = orgUser.Id,
+                GrantedServiceAccountId = id,
+                Read = true,
+                Write = false,
+            }).Cast<BaseAccessPolicy>().ToList();
+
+        await _accessPolicyRepository.CreateManyAsync(accessPolicies);
+
+        return (org.Id, serviceAccountIds);
+    }
+
+    private async Task<Dictionary<Guid, int>> SetupServiceAccountSecretAccessAsync(List<Guid> serviceAccountIds,
+        Guid organizationId)
+    {
+        var project =
+            await _projectRepository.CreateAsync(new Project
+            {
+                Name = _mockEncryptedString,
+                OrganizationId = organizationId
+            });
+
+        var secret = await _secretRepository.CreateAsync(new Secret
+        {
+            Key = _mockEncryptedString,
+            Value = _mockEncryptedString,
+            OrganizationId = organizationId,
+            Projects = [project]
+        });
+
+        var secretNoProject = await _secretRepository.CreateAsync(new Secret
+        {
+            Key = _mockEncryptedString,
+            Value = _mockEncryptedString,
+            OrganizationId = organizationId
+        });
+
+        var serviceAccountWithProjectAccess = serviceAccountIds[0];
+        var serviceAccountWithProjectAndSecretAccess = serviceAccountIds[1];
+        var serviceAccountWithSecretAccess = serviceAccountIds[2];
+        var serviceAccountWithNoAccess = serviceAccountIds[3];
+        await _accessPolicyRepository.CreateManyAsync([
+            new ServiceAccountProjectAccessPolicy
+            {
+                ServiceAccountId = serviceAccountWithProjectAccess,
+                GrantedProjectId = project.Id,
+                Read = true,
+                Write = true
+            },
+            new ServiceAccountProjectAccessPolicy
+            {
+                ServiceAccountId = serviceAccountWithProjectAndSecretAccess,
+                GrantedProjectId = project.Id,
+                Read = true,
+                Write = true
+            },
+            new ServiceAccountSecretAccessPolicy
+            {
+                ServiceAccountId = serviceAccountWithProjectAndSecretAccess,
+                GrantedSecretId = secret.Id,
+                Read = true,
+                Write = true
+            },
+            new ServiceAccountSecretAccessPolicy
+            {
+                ServiceAccountId = serviceAccountWithProjectAndSecretAccess,
+                GrantedSecretId = secretNoProject.Id,
+                Read = true,
+                Write = true
+            },
+            new ServiceAccountSecretAccessPolicy
+            {
+                ServiceAccountId = serviceAccountWithSecretAccess,
+                GrantedSecretId = secretNoProject.Id,
+                Read = true,
+                Write = true
+            }
+        ]);
+
+        return new Dictionary<Guid, int>
+        {
+            { serviceAccountWithProjectAccess, 1 },
+            { serviceAccountWithProjectAndSecretAccess, 2 },
+            { serviceAccountWithSecretAccess, 1 },
+            { serviceAccountWithNoAccess, 0 }
+        };
+    }
 }