mirror of
https://github.com/bitwarden/server.git
synced 2025-07-01 08:02:49 -05:00
[SM-707] Refactor authorization for Access Policy Commands (#2905)
* Extract authorization from access policy commands * Use auto mapper to ignore unwanted properties ---------
This commit is contained in:
Thomas Avery
@ -0,0 +1,761 @@
|
||||
using System.Reflection;
|
||||
using System.Security.Claims;
|
||||
using Bit.Commercial.Core.SecretsManager.AuthorizationHandlers.AccessPolicies;
|
||||
using Bit.Commercial.Core.Test.SecretsManager.Enums;
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.SecretsManager.AuthorizationRequirements;
|
||||
using Bit.Core.SecretsManager.Entities;
|
||||
using Bit.Core.SecretsManager.Queries.Interfaces;
|
||||
using Bit.Core.SecretsManager.Repositories;
|
||||
using Bit.Core.Test.SecretsManager.AutoFixture.ProjectsFixture;
|
||||
using Bit.Test.Common.AutoFixture;
|
||||
using Bit.Test.Common.AutoFixture.Attributes;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
using NSubstitute;
|
||||
using Xunit;
|
||||
|
||||
namespace Bit.Commercial.Core.Test.SecretsManager.AuthorizationHandlers.AccessPolicies;
|
||||
|
||||
[SutProviderCustomize]
|
||||
[ProjectCustomize]
|
||||
public class AccessPolicyAuthorizationHandlerTests
|
||||
{
|
||||
private static void SetupCurrentUserPermission(SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
PermissionType permissionType, Guid organizationId, Guid userId = new())
|
||||
{
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(organizationId)
|
||||
.Returns(true);
|
||||
|
||||
switch (permissionType)
|
||||
{
|
||||
case PermissionType.RunAsAdmin:
|
||||
sutProvider.GetDependency<IAccessClientQuery>().GetAccessClientAsync(default, organizationId).ReturnsForAnyArgs(
|
||||
(AccessClientType.NoAccessCheck, userId));
|
||||
break;
|
||||
case PermissionType.RunAsUserWithPermission:
|
||||
sutProvider.GetDependency<IAccessClientQuery>().GetAccessClientAsync(default, organizationId).ReturnsForAnyArgs(
|
||||
(AccessClientType.User, userId));
|
||||
break;
|
||||
default:
|
||||
throw new ArgumentOutOfRangeException(nameof(permissionType), permissionType, null);
|
||||
}
|
||||
}
|
||||
|
||||
private static BaseAccessPolicy CreatePolicy(AccessPolicyType accessPolicyType, Project grantedProject,
|
||||
ServiceAccount grantedServiceAccount, Guid? serviceAccountId = null)
|
||||
{
|
||||
switch (accessPolicyType)
|
||||
{
|
||||
case AccessPolicyType.UserProjectAccessPolicy:
|
||||
return
|
||||
new UserProjectAccessPolicy
|
||||
{
|
||||
Id = Guid.NewGuid(),
|
||||
OrganizationUserId = Guid.NewGuid(),
|
||||
Read = true,
|
||||
Write = true,
|
||||
GrantedProjectId = grantedProject.Id,
|
||||
GrantedProject = grantedProject,
|
||||
};
|
||||
case AccessPolicyType.GroupProjectAccessPolicy:
|
||||
return
|
||||
new GroupProjectAccessPolicy
|
||||
{
|
||||
Id = Guid.NewGuid(),
|
||||
GroupId = Guid.NewGuid(),
|
||||
GrantedProjectId = grantedProject.Id,
|
||||
Read = true,
|
||||
Write = true,
|
||||
GrantedProject = grantedProject,
|
||||
};
|
||||
case AccessPolicyType.ServiceAccountProjectAccessPolicy:
|
||||
return new ServiceAccountProjectAccessPolicy
|
||||
{
|
||||
Id = Guid.NewGuid(),
|
||||
ServiceAccountId = serviceAccountId,
|
||||
GrantedProjectId = grantedProject.Id,
|
||||
Read = true,
|
||||
Write = true,
|
||||
GrantedProject = grantedProject,
|
||||
};
|
||||
case AccessPolicyType.UserServiceAccountAccessPolicy:
|
||||
return
|
||||
new UserServiceAccountAccessPolicy
|
||||
{
|
||||
Id = Guid.NewGuid(),
|
||||
OrganizationUserId = Guid.NewGuid(),
|
||||
Read = true,
|
||||
Write = true,
|
||||
GrantedServiceAccountId = grantedServiceAccount.Id,
|
||||
GrantedServiceAccount = grantedServiceAccount,
|
||||
};
|
||||
case AccessPolicyType.GroupServiceAccountAccessPolicy:
|
||||
return new GroupServiceAccountAccessPolicy
|
||||
{
|
||||
Id = Guid.NewGuid(),
|
||||
GroupId = Guid.NewGuid(),
|
||||
GrantedServiceAccountId = grantedServiceAccount.Id,
|
||||
GrantedServiceAccount = grantedServiceAccount,
|
||||
Read = true,
|
||||
Write = true,
|
||||
};
|
||||
default:
|
||||
throw new ArgumentOutOfRangeException(nameof(accessPolicyType), accessPolicyType, null);
|
||||
}
|
||||
}
|
||||
|
||||
private static void SetupMockAccess(SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
Guid userId, BaseAccessPolicy accessPolicy, bool read, bool write)
|
||||
{
|
||||
switch (accessPolicy)
|
||||
{
|
||||
case UserProjectAccessPolicy ap:
|
||||
sutProvider.GetDependency<IProjectRepository>()
|
||||
.AccessToProjectAsync(ap.GrantedProjectId!.Value, userId, Arg.Any<AccessClientType>())
|
||||
.Returns((read, write));
|
||||
break;
|
||||
case GroupProjectAccessPolicy ap:
|
||||
sutProvider.GetDependency<IProjectRepository>()
|
||||
.AccessToProjectAsync(ap.GrantedProjectId!.Value, userId, Arg.Any<AccessClientType>())
|
||||
.Returns((read, write));
|
||||
break;
|
||||
case UserServiceAccountAccessPolicy ap:
|
||||
sutProvider.GetDependency<IServiceAccountRepository>()
|
||||
.AccessToServiceAccountAsync(ap.GrantedServiceAccountId!.Value, userId, Arg.Any<AccessClientType>())
|
||||
.Returns((read, write));
|
||||
break;
|
||||
case GroupServiceAccountAccessPolicy ap:
|
||||
sutProvider.GetDependency<IServiceAccountRepository>()
|
||||
.AccessToServiceAccountAsync(ap.GrantedServiceAccountId!.Value, userId, Arg.Any<AccessClientType>())
|
||||
.Returns((read, write));
|
||||
break;
|
||||
case ServiceAccountProjectAccessPolicy ap:
|
||||
sutProvider.GetDependency<IProjectRepository>()
|
||||
.AccessToProjectAsync(ap.GrantedProjectId!.Value, userId, Arg.Any<AccessClientType>())
|
||||
.Returns((read, write));
|
||||
sutProvider.GetDependency<IServiceAccountRepository>()
|
||||
.AccessToServiceAccountAsync(ap.ServiceAccountId!.Value, userId, Arg.Any<AccessClientType>())
|
||||
.Returns((read, write));
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
private static void SetupOrganizationMismatch(SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
BaseAccessPolicy accessPolicy)
|
||||
{
|
||||
switch (accessPolicy)
|
||||
{
|
||||
case UserProjectAccessPolicy resource:
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||
.GetByIdAsync(resource.OrganizationUserId!.Value)
|
||||
.Returns(new OrganizationUser
|
||||
{
|
||||
Id = resource.OrganizationUserId!.Value,
|
||||
OrganizationId = Guid.NewGuid()
|
||||
});
|
||||
break;
|
||||
case GroupProjectAccessPolicy resource:
|
||||
sutProvider.GetDependency<IGroupRepository>().GetByIdAsync(resource.GroupId!.Value)
|
||||
.Returns(new Group { Id = resource.GroupId!.Value, OrganizationId = Guid.NewGuid() });
|
||||
break;
|
||||
case UserServiceAccountAccessPolicy resource:
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||
.GetByIdAsync(resource.OrganizationUserId!.Value)
|
||||
.Returns(new OrganizationUser
|
||||
{
|
||||
Id = resource.OrganizationUserId!.Value,
|
||||
OrganizationId = Guid.NewGuid()
|
||||
});
|
||||
break;
|
||||
case GroupServiceAccountAccessPolicy resource:
|
||||
sutProvider.GetDependency<IGroupRepository>().GetByIdAsync(resource.GroupId!.Value)
|
||||
.Returns(new Group { Id = resource.GroupId!.Value, OrganizationId = Guid.NewGuid() });
|
||||
break;
|
||||
default:
|
||||
throw new ArgumentOutOfRangeException(nameof(accessPolicy), accessPolicy, null);
|
||||
}
|
||||
}
|
||||
|
||||
private static void SetupOrganizationMatch(SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
BaseAccessPolicy accessPolicy, Guid organizationId)
|
||||
{
|
||||
switch (accessPolicy)
|
||||
{
|
||||
case UserProjectAccessPolicy resource:
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||
.GetByIdAsync(resource.OrganizationUserId!.Value)
|
||||
.Returns(new OrganizationUser
|
||||
{
|
||||
Id = resource.OrganizationUserId!.Value,
|
||||
OrganizationId = organizationId
|
||||
});
|
||||
break;
|
||||
case GroupProjectAccessPolicy resource:
|
||||
sutProvider.GetDependency<IGroupRepository>().GetByIdAsync(resource.GroupId!.Value)
|
||||
.Returns(new Group { Id = resource.GroupId!.Value, OrganizationId = organizationId });
|
||||
break;
|
||||
case UserServiceAccountAccessPolicy resource:
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||
.GetByIdAsync(resource.OrganizationUserId!.Value)
|
||||
.Returns(new OrganizationUser
|
||||
{
|
||||
Id = resource.OrganizationUserId!.Value,
|
||||
OrganizationId = organizationId
|
||||
});
|
||||
break;
|
||||
case GroupServiceAccountAccessPolicy resource:
|
||||
sutProvider.GetDependency<IGroupRepository>().GetByIdAsync(resource.GroupId!.Value)
|
||||
.Returns(new Group { Id = resource.GroupId!.Value, OrganizationId = organizationId });
|
||||
break;
|
||||
default:
|
||||
throw new ArgumentOutOfRangeException(nameof(accessPolicy), accessPolicy, null);
|
||||
}
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void AccessPolicyOperations_OnlyPublicStatic()
|
||||
{
|
||||
var publicStaticFields = typeof(AccessPolicyOperations).GetFields(BindingFlags.Public | BindingFlags.Static);
|
||||
var allFields = typeof(AccessPolicyOperations).GetFields();
|
||||
Assert.Equal(publicStaticFields.Length, allFields.Length);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Handler_UnsupportedAccessPolicyOperationRequirement_Throws(
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider, UserProjectAccessPolicy resource,
|
||||
ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
var requirement = new AccessPolicyOperationRequirement();
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await Assert.ThrowsAsync<ArgumentException>(() => sutProvider.Sut.HandleAsync(authzContext));
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy)]
|
||||
public async Task CanCreate_OrgMismatch_DoesNotSucceed(
|
||||
AccessPolicyType accessPolicyType,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
Project mockGrantedProject,
|
||||
ServiceAccount mockGrantedServiceAccount,
|
||||
ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Create;
|
||||
var resource = CreatePolicy(accessPolicyType, mockGrantedProject, mockGrantedServiceAccount);
|
||||
SetupOrganizationMismatch(sutProvider, resource);
|
||||
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.False(authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy)]
|
||||
public async Task CanCreate_AccessToSecretsManagerFalse_DoesNotSucceed(
|
||||
AccessPolicyType accessPolicyType,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
Guid organizationId,
|
||||
Project mockGrantedProject,
|
||||
ServiceAccount mockGrantedServiceAccount,
|
||||
ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Create;
|
||||
mockGrantedProject.OrganizationId = organizationId;
|
||||
mockGrantedServiceAccount.OrganizationId = organizationId;
|
||||
var resource = CreatePolicy(accessPolicyType, mockGrantedProject, mockGrantedServiceAccount);
|
||||
SetupOrganizationMatch(sutProvider, resource, organizationId);
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(organizationId)
|
||||
.Returns(false);
|
||||
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.False(authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.UserProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.GroupProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.UserServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.GroupServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.UserProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.GroupProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.UserServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.GroupServiceAccountAccessPolicy)]
|
||||
public async Task CanCreate_UnsupportedClientTypes_DoesNotSucceed(
|
||||
AccessClientType clientType,
|
||||
AccessPolicyType accessPolicyType,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
Guid organizationId,
|
||||
Project mockGrantedProject,
|
||||
ServiceAccount mockGrantedServiceAccount,
|
||||
ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Create;
|
||||
mockGrantedProject.OrganizationId = organizationId;
|
||||
mockGrantedServiceAccount.OrganizationId = organizationId;
|
||||
var resource = CreatePolicy(accessPolicyType, mockGrantedProject, mockGrantedServiceAccount);
|
||||
SetupOrganizationMatch(sutProvider, resource, organizationId);
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(organizationId)
|
||||
.Returns(true);
|
||||
sutProvider.GetDependency<IAccessClientQuery>().GetAccessClientAsync(default, organizationId).ReturnsForAnyArgs(
|
||||
(clientType, Guid.NewGuid()));
|
||||
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.False(authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
public async Task CanCreate_AccessCheck(
|
||||
AccessPolicyType accessPolicyType,
|
||||
PermissionType permissionType,
|
||||
bool read, bool write, bool expected,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
Guid organizationId,
|
||||
Guid userId,
|
||||
Guid serviceAccountId,
|
||||
Project mockGrantedProject,
|
||||
ServiceAccount mockGrantedServiceAccount,
|
||||
ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Create;
|
||||
mockGrantedProject.OrganizationId = organizationId;
|
||||
mockGrantedServiceAccount.OrganizationId = organizationId;
|
||||
var resource = CreatePolicy(accessPolicyType, mockGrantedProject, mockGrantedServiceAccount, serviceAccountId);
|
||||
SetupCurrentUserPermission(sutProvider, permissionType, organizationId, userId);
|
||||
SetupOrganizationMatch(sutProvider, resource, organizationId);
|
||||
SetupMockAccess(sutProvider, userId, resource, read, write);
|
||||
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.Equal(expected, authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(false, false)]
|
||||
[BitAutoData(false, true)]
|
||||
[BitAutoData(true, false)]
|
||||
public async Task CanCreate_ServiceAccountProjectAccessPolicy_TargetsDontExist_DoesNotSucceed(bool projectExists,
|
||||
bool serviceAccountExists,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider, ServiceAccountProjectAccessPolicy resource,
|
||||
Project mockProject, ServiceAccount mockServiceAccount,
|
||||
ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Create;
|
||||
resource.GrantedProject = null;
|
||||
resource.ServiceAccount = null;
|
||||
|
||||
if (projectExists)
|
||||
{
|
||||
resource.GrantedProject = null;
|
||||
mockProject.Id = resource.GrantedProjectId!.Value;
|
||||
sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(resource.GrantedProjectId!.Value)
|
||||
.Returns(mockProject);
|
||||
}
|
||||
|
||||
if (serviceAccountExists)
|
||||
{
|
||||
resource.ServiceAccount = null;
|
||||
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(resource.ServiceAccountId!.Value)
|
||||
.Returns(mockServiceAccount);
|
||||
}
|
||||
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.False(authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(false, false)]
|
||||
[BitAutoData(false, true)]
|
||||
[BitAutoData(true, false)]
|
||||
[BitAutoData(true, true)]
|
||||
public async Task CanCreate_ServiceAccountProjectAccessPolicy_OrgMismatch_DoesNotSucceed(bool fetchProject,
|
||||
bool fetchSa,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider, ServiceAccountProjectAccessPolicy resource,
|
||||
Project mockProject, ServiceAccount mockServiceAccount,
|
||||
ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Create;
|
||||
|
||||
if (fetchProject)
|
||||
{
|
||||
resource.GrantedProject = null;
|
||||
mockProject.Id = resource.GrantedProjectId!.Value;
|
||||
sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(resource.GrantedProjectId!.Value)
|
||||
.Returns(mockProject);
|
||||
}
|
||||
|
||||
if (fetchSa)
|
||||
{
|
||||
resource.ServiceAccount = null;
|
||||
mockServiceAccount.Id = resource.ServiceAccountId!.Value;
|
||||
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(resource.ServiceAccountId!.Value)
|
||||
.Returns(mockServiceAccount);
|
||||
}
|
||||
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.False(authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task CanCreate_ServiceAccountProjectAccessPolicy_AccessToSecretsManagerFalse_DoesNotSucceed(
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider, ServiceAccountProjectAccessPolicy resource,
|
||||
ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Create;
|
||||
resource.ServiceAccount!.OrganizationId = resource.GrantedProject!.OrganizationId;
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(resource.GrantedProject!.OrganizationId)
|
||||
.Returns(false);
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.False(authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessClientType.ServiceAccount)]
|
||||
[BitAutoData(AccessClientType.Organization)]
|
||||
public async Task CanCreate_ServiceAccountProjectAccessPolicy_UnsupportedClientTypes_DoesNotSucceed(
|
||||
AccessClientType clientType,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider, ServiceAccountProjectAccessPolicy resource,
|
||||
ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Create;
|
||||
resource.ServiceAccount!.OrganizationId = resource.GrantedProject!.OrganizationId;
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(resource.GrantedProject!.OrganizationId)
|
||||
.Returns(true);
|
||||
sutProvider.GetDependency<IAccessClientQuery>().GetAccessClientAsync(default, resource.ServiceAccount!.OrganizationId).ReturnsForAnyArgs(
|
||||
(clientType, new Guid()));
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.False(authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(PermissionType.RunAsAdmin, true, true, true, true, true)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, false, false, false, false, false)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, false, false, false, true, false)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, false, false, true, false, false)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, false, false, true, true, false)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, false, true, false, false, false)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, false, true, false, true, true)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, false, true, true, false, false)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, false, true, true, true, true)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, true, false, false, false, false)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, true, false, false, true, false)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, true, false, true, false, false)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, true, false, true, true, false)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, true, true, false, false, false)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, true, true, false, true, true)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, true, true, true, false, false)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, true, true, true, true, true)]
|
||||
public async Task CanCreate_ServiceAccountProjectAccessPolicy_AccessCheck(PermissionType permissionType,
|
||||
bool projectRead,
|
||||
bool projectWrite, bool saRead, bool saWrite, bool expected,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider, ServiceAccountProjectAccessPolicy resource,
|
||||
ClaimsPrincipal claimsPrincipal, Guid userId)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Create;
|
||||
resource.ServiceAccount!.OrganizationId = resource.GrantedProject!.OrganizationId;
|
||||
SetupCurrentUserPermission(sutProvider, permissionType, resource.GrantedProject!.OrganizationId, userId);
|
||||
sutProvider.GetDependency<IProjectRepository>()
|
||||
.AccessToProjectAsync(resource.GrantedProjectId!.Value, userId, Arg.Any<AccessClientType>())
|
||||
.Returns((projectRead, projectWrite));
|
||||
sutProvider.GetDependency<IServiceAccountRepository>()
|
||||
.AccessToServiceAccountAsync(resource.ServiceAccountId!.Value, userId, Arg.Any<AccessClientType>())
|
||||
.Returns((saRead, saWrite));
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.Equal(expected, authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy)]
|
||||
public async Task CanUpdate_AccessToSecretsManagerFalse_DoesNotSucceed(AccessPolicyType accessPolicyType,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
Guid organizationId,
|
||||
Project mockGrantedProject,
|
||||
ServiceAccount mockGrantedServiceAccount,
|
||||
ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Update;
|
||||
mockGrantedProject.OrganizationId = organizationId;
|
||||
mockGrantedServiceAccount.OrganizationId = organizationId;
|
||||
var resource = CreatePolicy(accessPolicyType, mockGrantedProject, mockGrantedServiceAccount);
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(organizationId).Returns(false);
|
||||
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.False(authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.UserProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.GroupProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.ServiceAccountProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.UserServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.GroupServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.UserProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.GroupProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.ServiceAccountProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.UserServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.GroupServiceAccountAccessPolicy)]
|
||||
public async Task CanUpdate_UnsupportedClientTypes_DoesNotSucceed(
|
||||
AccessClientType clientType,
|
||||
AccessPolicyType accessPolicyType,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
Guid organizationId,
|
||||
Project mockGrantedProject,
|
||||
ServiceAccount mockGrantedServiceAccount,
|
||||
ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Update;
|
||||
mockGrantedProject.OrganizationId = organizationId;
|
||||
mockGrantedServiceAccount.OrganizationId = organizationId;
|
||||
var resource = CreatePolicy(accessPolicyType, mockGrantedProject, mockGrantedServiceAccount);
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(organizationId).Returns(true);
|
||||
sutProvider.GetDependency<IAccessClientQuery>().GetAccessClientAsync(default, organizationId).ReturnsForAnyArgs(
|
||||
(clientType, new Guid()));
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.False(authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
public async Task CanUpdate_AccessCheck(
|
||||
AccessPolicyType accessPolicyType,
|
||||
PermissionType permissionType, bool read,
|
||||
bool write, bool expected,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
Guid organizationId,
|
||||
Project mockGrantedProject,
|
||||
ServiceAccount mockGrantedServiceAccount,
|
||||
ClaimsPrincipal claimsPrincipal, Guid userId, Guid serviceAccountId)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Update;
|
||||
mockGrantedProject.OrganizationId = organizationId;
|
||||
mockGrantedServiceAccount.OrganizationId = organizationId;
|
||||
|
||||
var resource = CreatePolicy(accessPolicyType, mockGrantedProject, mockGrantedServiceAccount,
|
||||
serviceAccountId);
|
||||
SetupCurrentUserPermission(sutProvider, permissionType, organizationId, userId);
|
||||
SetupMockAccess(sutProvider, userId, resource, read, write);
|
||||
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.Equal(expected, authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy)]
|
||||
public async Task CanDelete_AccessToSecretsManagerFalse_DoesNotSucceed(AccessPolicyType accessPolicyType,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
Guid organizationId,
|
||||
Project mockGrantedProject,
|
||||
ServiceAccount mockGrantedServiceAccount,
|
||||
ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Delete;
|
||||
mockGrantedProject.OrganizationId = organizationId;
|
||||
mockGrantedServiceAccount.OrganizationId = organizationId;
|
||||
var resource = CreatePolicy(accessPolicyType, mockGrantedProject, mockGrantedServiceAccount);
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(organizationId).Returns(false);
|
||||
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.False(authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.UserProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.GroupProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.ServiceAccountProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.UserServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.GroupServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.UserProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.GroupProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.ServiceAccountProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.UserServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.GroupServiceAccountAccessPolicy)]
|
||||
public async Task CanDelete_UnsupportedClientTypes_DoesNotSucceed(
|
||||
AccessClientType clientType,
|
||||
AccessPolicyType accessPolicyType,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
Guid organizationId,
|
||||
Project mockGrantedProject,
|
||||
ServiceAccount mockGrantedServiceAccount,
|
||||
ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Delete;
|
||||
mockGrantedProject.OrganizationId = organizationId;
|
||||
mockGrantedServiceAccount.OrganizationId = organizationId;
|
||||
var resource = CreatePolicy(accessPolicyType, mockGrantedProject, mockGrantedServiceAccount);
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(organizationId).Returns(true);
|
||||
sutProvider.GetDependency<IAccessClientQuery>().GetAccessClientAsync(default, organizationId).ReturnsForAnyArgs(
|
||||
(clientType, new Guid()));
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.False(authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
public async Task CanDelete_AccessCheck(
|
||||
AccessPolicyType accessPolicyType,
|
||||
PermissionType permissionType,
|
||||
bool read, bool write, bool expected,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
Guid organizationId,
|
||||
Project mockGrantedProject,
|
||||
ServiceAccount mockGrantedServiceAccount,
|
||||
ClaimsPrincipal claimsPrincipal, Guid userId, Guid serviceAccountId)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Delete;
|
||||
mockGrantedProject.OrganizationId = organizationId;
|
||||
mockGrantedServiceAccount.OrganizationId = organizationId;
|
||||
|
||||
var resource = CreatePolicy(accessPolicyType, mockGrantedProject, mockGrantedServiceAccount,
|
||||
serviceAccountId);
|
||||
SetupCurrentUserPermission(sutProvider, permissionType, organizationId, userId);
|
||||
SetupMockAccess(sutProvider, userId, resource, read, write);
|
||||
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.Equal(expected, authzContext.HasSucceeded);
|
||||
}
|
||||
}
|
||||
@ -1,6 +1,4 @@
|
||||
using Bit.Commercial.Core.SecretsManager.Commands.AccessPolicies;
|
||||
using Bit.Commercial.Core.Test.SecretsManager.Enums;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.SecretsManager.Entities;
|
||||
using Bit.Core.SecretsManager.Repositories;
|
||||
@ -25,14 +23,20 @@ public class CreateAccessPoliciesCommandTests
|
||||
foreach (var ap in userProjectAccessPolicies)
|
||||
{
|
||||
ap.GrantedProjectId = grantedProjectId;
|
||||
ap.GrantedProject = null;
|
||||
ap.User = null;
|
||||
}
|
||||
foreach (var ap in groupProjectAccessPolicies)
|
||||
{
|
||||
ap.GrantedProjectId = grantedProjectId;
|
||||
ap.GrantedProject = null;
|
||||
ap.Group = null;
|
||||
}
|
||||
foreach (var ap in serviceAccountProjectAccessPolicies)
|
||||
{
|
||||
ap.GrantedProjectId = grantedProjectId;
|
||||
ap.GrantedProject = null;
|
||||
ap.ServiceAccount = null;
|
||||
}
|
||||
data.AddRange(userProjectAccessPolicies);
|
||||
data.AddRange(groupProjectAccessPolicies);
|
||||
@ -47,114 +51,23 @@ public class CreateAccessPoliciesCommandTests
|
||||
foreach (var ap in userServiceAccountAccessPolicies)
|
||||
{
|
||||
ap.GrantedServiceAccountId = grantedServiceAccountId;
|
||||
ap.GrantedServiceAccount = null;
|
||||
ap.User = null;
|
||||
}
|
||||
foreach (var ap in groupServiceAccountAccessPolicies)
|
||||
{
|
||||
ap.GrantedServiceAccountId = grantedServiceAccountId;
|
||||
ap.GrantedServiceAccount = null;
|
||||
ap.Group = null;
|
||||
}
|
||||
data.AddRange(userServiceAccountAccessPolicies);
|
||||
data.AddRange(groupServiceAccountAccessPolicies);
|
||||
return data;
|
||||
}
|
||||
|
||||
private static List<BaseAccessPolicy> MakeDuplicate(List<BaseAccessPolicy> data, AccessPolicyType accessPolicyType)
|
||||
{
|
||||
switch (accessPolicyType)
|
||||
{
|
||||
case AccessPolicyType.UserProjectAccessPolicy:
|
||||
{
|
||||
var mockAccessPolicy = new UserProjectAccessPolicy
|
||||
{
|
||||
OrganizationUserId = Guid.NewGuid(),
|
||||
GrantedProjectId = Guid.NewGuid(),
|
||||
};
|
||||
data.Add(mockAccessPolicy);
|
||||
|
||||
// Add a duplicate policy
|
||||
data.Add(mockAccessPolicy);
|
||||
break;
|
||||
}
|
||||
case AccessPolicyType.GroupProjectAccessPolicy:
|
||||
{
|
||||
var mockAccessPolicy = new GroupProjectAccessPolicy
|
||||
{
|
||||
GroupId = Guid.NewGuid(),
|
||||
GrantedProjectId = Guid.NewGuid(),
|
||||
};
|
||||
data.Add(mockAccessPolicy);
|
||||
|
||||
// Add a duplicate policy
|
||||
data.Add(mockAccessPolicy);
|
||||
break;
|
||||
}
|
||||
case AccessPolicyType.ServiceAccountProjectAccessPolicy:
|
||||
{
|
||||
var mockAccessPolicy = new ServiceAccountProjectAccessPolicy
|
||||
{
|
||||
ServiceAccountId = Guid.NewGuid(),
|
||||
GrantedProjectId = Guid.NewGuid(),
|
||||
};
|
||||
data.Add(mockAccessPolicy);
|
||||
|
||||
// Add a duplicate policy
|
||||
data.Add(mockAccessPolicy);
|
||||
break;
|
||||
}
|
||||
case AccessPolicyType.UserServiceAccountAccessPolicy:
|
||||
{
|
||||
var mockAccessPolicy = new UserServiceAccountAccessPolicy
|
||||
{
|
||||
OrganizationUserId = Guid.NewGuid(),
|
||||
GrantedServiceAccountId = Guid.NewGuid(),
|
||||
};
|
||||
data.Add(mockAccessPolicy);
|
||||
|
||||
// Add a duplicate policy
|
||||
data.Add(mockAccessPolicy);
|
||||
break;
|
||||
}
|
||||
case AccessPolicyType.GroupServiceAccountAccessPolicy:
|
||||
{
|
||||
var mockAccessPolicy = new GroupServiceAccountAccessPolicy
|
||||
{
|
||||
GroupId = Guid.NewGuid(),
|
||||
GrantedServiceAccountId = Guid.NewGuid(),
|
||||
};
|
||||
data.Add(mockAccessPolicy);
|
||||
|
||||
// Add a duplicate policy
|
||||
data.Add(mockAccessPolicy);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
return data;
|
||||
}
|
||||
|
||||
private static void SetupPermission(SutProvider<CreateAccessPoliciesCommand> sutProvider,
|
||||
PermissionType permissionType, Project project, Guid userId)
|
||||
{
|
||||
if (permissionType == PermissionType.RunAsUserWithPermission)
|
||||
{
|
||||
sutProvider.GetDependency<IProjectRepository>().AccessToProjectAsync(project.Id, userId, AccessClientType.User)
|
||||
.Returns((true, true));
|
||||
}
|
||||
}
|
||||
|
||||
private static void SetupPermission(SutProvider<CreateAccessPoliciesCommand> sutProvider,
|
||||
PermissionType permissionType, ServiceAccount serviceAccount, Guid userId)
|
||||
{
|
||||
if (permissionType == PermissionType.RunAsUserWithPermission)
|
||||
{
|
||||
sutProvider.GetDependency<IServiceAccountRepository>()
|
||||
.UserHasWriteAccessToServiceAccount(serviceAccount.Id, userId).Returns(true);
|
||||
}
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task CreateMany_AlreadyExists_Throws_BadRequestException(
|
||||
Guid userId,
|
||||
Project project,
|
||||
ServiceAccount serviceAccount,
|
||||
List<UserProjectAccessPolicy> userProjectAccessPolicies,
|
||||
@ -173,83 +86,34 @@ public class CreateAccessPoliciesCommandTests
|
||||
.Returns(true);
|
||||
|
||||
await Assert.ThrowsAsync<BadRequestException>(() =>
|
||||
sutProvider.Sut.CreateManyAsync(data, userId, AccessClientType.NoAccessCheck));
|
||||
sutProvider.Sut.CreateManyAsync(data));
|
||||
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().CreateManyAsync(default!);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy)]
|
||||
public async Task CreateMany_NotUnique_ThrowsException(
|
||||
AccessPolicyType accessPolicyType,
|
||||
Guid userId,
|
||||
Project project,
|
||||
ServiceAccount serviceAccount,
|
||||
List<UserProjectAccessPolicy> userProjectAccessPolicies,
|
||||
List<GroupProjectAccessPolicy> groupProjectAccessPolicies,
|
||||
List<ServiceAccountProjectAccessPolicy> serviceAccountProjectAccessPolicies,
|
||||
List<UserServiceAccountAccessPolicy> userServiceAccountAccessPolicies,
|
||||
List<GroupServiceAccountAccessPolicy> groupServiceAccountAccessPolicies,
|
||||
SutProvider<CreateAccessPoliciesCommand> sutProvider
|
||||
)
|
||||
[BitAutoData]
|
||||
public async Task CreateMany_ClearsReferences(SutProvider<CreateAccessPoliciesCommand> sutProvider, Guid projectId)
|
||||
{
|
||||
var data = MakeGrantedProjectAccessPolicies(project.Id, userProjectAccessPolicies, groupProjectAccessPolicies,
|
||||
serviceAccountProjectAccessPolicies);
|
||||
var saData = MakeGrantedServiceAccountAccessPolicies(serviceAccount.Id, userServiceAccountAccessPolicies, groupServiceAccountAccessPolicies);
|
||||
data = data.Concat(saData).ToList();
|
||||
data = MakeDuplicate(data, accessPolicyType);
|
||||
|
||||
await Assert.ThrowsAsync<BadRequestException>(() =>
|
||||
sutProvider.Sut.CreateManyAsync(data, userId, AccessClientType.NoAccessCheck));
|
||||
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs()
|
||||
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>());
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(PermissionType.RunAsAdmin)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission)]
|
||||
public async Task CreateMany_Success(
|
||||
PermissionType permissionType,
|
||||
Guid userId,
|
||||
Project project,
|
||||
ServiceAccount serviceAccount,
|
||||
List<UserProjectAccessPolicy> userProjectAccessPolicies,
|
||||
List<GroupProjectAccessPolicy> groupProjectAccessPolicies,
|
||||
List<ServiceAccountProjectAccessPolicy> serviceAccountProjectAccessPolicies,
|
||||
List<UserServiceAccountAccessPolicy> userServiceAccountAccessPolicies,
|
||||
List<GroupServiceAccountAccessPolicy> groupServiceAccountAccessPolicies,
|
||||
SutProvider<CreateAccessPoliciesCommand> sutProvider)
|
||||
{
|
||||
var data = MakeGrantedProjectAccessPolicies(project.Id, userProjectAccessPolicies, groupProjectAccessPolicies,
|
||||
serviceAccountProjectAccessPolicies);
|
||||
var saData = MakeGrantedServiceAccountAccessPolicies(serviceAccount.Id, userServiceAccountAccessPolicies, groupServiceAccountAccessPolicies);
|
||||
data = data.Concat(saData).ToList();
|
||||
|
||||
SetupPermission(sutProvider, permissionType, serviceAccount, userId);
|
||||
SetupPermission(sutProvider, permissionType, project, userId);
|
||||
|
||||
if (permissionType == PermissionType.RunAsAdmin)
|
||||
var userProjectAp = new UserProjectAccessPolicy
|
||||
{
|
||||
await sutProvider.Sut.CreateManyAsync(data, userId, AccessClientType.NoAccessCheck);
|
||||
}
|
||||
else if (permissionType == PermissionType.RunAsUserWithPermission)
|
||||
{
|
||||
await sutProvider.Sut.CreateManyAsync(data, userId, AccessClientType.User);
|
||||
}
|
||||
GrantedProjectId = projectId,
|
||||
OrganizationUserId = new Guid(),
|
||||
};
|
||||
var data = new List<BaseAccessPolicy>() { userProjectAp, };
|
||||
|
||||
userProjectAp.GrantedProject = new Project() { Id = new Guid() };
|
||||
var expectedCall = new List<BaseAccessPolicy>() { userProjectAp, };
|
||||
|
||||
await sutProvider.Sut.CreateManyAsync(data);
|
||||
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1)
|
||||
.CreateManyAsync(Arg.Is(AssertHelper.AssertPropertyEqual(data)));
|
||||
.CreateManyAsync(Arg.Is(AssertHelper.AssertPropertyEqual(expectedCall)));
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task CreateMany_UserWithoutPermission_Throws(
|
||||
Guid userId,
|
||||
public async Task CreateMany_Success(
|
||||
Project project,
|
||||
ServiceAccount serviceAccount,
|
||||
List<UserProjectAccessPolicy> userProjectAccessPolicies,
|
||||
@ -264,10 +128,9 @@ public class CreateAccessPoliciesCommandTests
|
||||
var saData = MakeGrantedServiceAccountAccessPolicies(serviceAccount.Id, userServiceAccountAccessPolicies, groupServiceAccountAccessPolicies);
|
||||
data = data.Concat(saData).ToList();
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(() =>
|
||||
sutProvider.Sut.CreateManyAsync(data, userId, AccessClientType.User));
|
||||
await sutProvider.Sut.CreateManyAsync(data);
|
||||
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs()
|
||||
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>());
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1)
|
||||
.CreateManyAsync(Arg.Is(AssertHelper.AssertPropertyEqual(data)));
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,16 +1,10 @@
|
||||
using Bit.Commercial.Core.SecretsManager.Commands.AccessPolicies;
|
||||
using Bit.Commercial.Core.Test.SecretsManager.Enums;
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.SecretsManager.Entities;
|
||||
using Bit.Core.SecretsManager.Repositories;
|
||||
using Bit.Core.Test.SecretsManager.AutoFixture.ProjectsFixture;
|
||||
using Bit.Test.Common.AutoFixture;
|
||||
using Bit.Test.Common.AutoFixture.Attributes;
|
||||
using Bit.Test.Common.Helpers;
|
||||
using NSubstitute;
|
||||
using NSubstitute.ReturnsExtensions;
|
||||
using Xunit;
|
||||
|
||||
namespace Bit.Commercial.Core.Test.SecretsManager.Commands.AccessPolicies;
|
||||
@ -19,213 +13,13 @@ namespace Bit.Commercial.Core.Test.SecretsManager.Commands.AccessPolicies;
|
||||
[ProjectCustomize]
|
||||
public class DeleteAccessPolicyCommandTests
|
||||
{
|
||||
private static void SetupPermission(SutProvider<DeleteAccessPolicyCommand> sutProvider,
|
||||
PermissionType permissionType, Project grantedProject, Guid userId)
|
||||
{
|
||||
switch (permissionType)
|
||||
{
|
||||
case PermissionType.RunAsAdmin:
|
||||
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(grantedProject.OrganizationId)
|
||||
.Returns(true);
|
||||
break;
|
||||
case PermissionType.RunAsUserWithPermission:
|
||||
sutProvider.GetDependency<IProjectRepository>().AccessToProjectAsync(grantedProject.Id, userId, AccessClientType.User)
|
||||
.Returns((true, true));
|
||||
break;
|
||||
default:
|
||||
throw new ArgumentOutOfRangeException(nameof(permissionType), permissionType, null);
|
||||
}
|
||||
}
|
||||
|
||||
private static void SetupPermission(SutProvider<DeleteAccessPolicyCommand> sutProvider,
|
||||
PermissionType permissionType, ServiceAccount grantedServiceAccount, Guid userId)
|
||||
{
|
||||
switch (permissionType)
|
||||
{
|
||||
case PermissionType.RunAsAdmin:
|
||||
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(grantedServiceAccount.OrganizationId)
|
||||
.Returns(true);
|
||||
break;
|
||||
case PermissionType.RunAsUserWithPermission:
|
||||
sutProvider.GetDependency<IServiceAccountRepository>()
|
||||
.UserHasWriteAccessToServiceAccount(grantedServiceAccount.Id, userId)
|
||||
.Returns(true);
|
||||
break;
|
||||
default:
|
||||
throw new ArgumentOutOfRangeException(nameof(permissionType), permissionType, null);
|
||||
}
|
||||
}
|
||||
|
||||
private static BaseAccessPolicy CreatePolicyToReturn(AccessPolicyType accessPolicyType, Guid data,
|
||||
Project grantedProject, Group mockGroup, ServiceAccount mockServiceAccount) =>
|
||||
accessPolicyType switch
|
||||
{
|
||||
AccessPolicyType.UserProjectAccessPolicy => new UserProjectAccessPolicy
|
||||
{
|
||||
Id = data,
|
||||
GrantedProjectId = grantedProject.Id,
|
||||
GrantedProject = grantedProject,
|
||||
},
|
||||
AccessPolicyType.GroupProjectAccessPolicy => new GroupProjectAccessPolicy
|
||||
{
|
||||
Id = data,
|
||||
GrantedProjectId = grantedProject.Id,
|
||||
Group = mockGroup,
|
||||
GrantedProject = grantedProject,
|
||||
},
|
||||
AccessPolicyType.ServiceAccountProjectAccessPolicy => new ServiceAccountProjectAccessPolicy
|
||||
{
|
||||
Id = data,
|
||||
GrantedProjectId = grantedProject.Id,
|
||||
ServiceAccount = mockServiceAccount,
|
||||
GrantedProject = grantedProject,
|
||||
},
|
||||
_ => null,
|
||||
};
|
||||
|
||||
private static BaseAccessPolicy CreatePolicyToReturn(AccessPolicyType accessPolicyType, Guid data,
|
||||
ServiceAccount grantedServiceAccount, Group mockGroup) =>
|
||||
accessPolicyType switch
|
||||
{
|
||||
AccessPolicyType.UserServiceAccountAccessPolicy => new UserServiceAccountAccessPolicy
|
||||
{
|
||||
Id = data,
|
||||
GrantedServiceAccountId = grantedServiceAccount.Id,
|
||||
GrantedServiceAccount = grantedServiceAccount,
|
||||
},
|
||||
AccessPolicyType.GroupServiceAccountAccessPolicy => new GroupServiceAccountAccessPolicy
|
||||
{
|
||||
Id = data,
|
||||
GrantedServiceAccountId = grantedServiceAccount.Id,
|
||||
Group = mockGroup,
|
||||
GrantedServiceAccount = grantedServiceAccount,
|
||||
},
|
||||
_ => null,
|
||||
};
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task DeleteAccessPolicy_Throws_NotFoundException(Guid data, Guid userId,
|
||||
SutProvider<DeleteAccessPolicyCommand> sutProvider)
|
||||
public async Task DeleteAsync_Success(SutProvider<DeleteAccessPolicyCommand> sutProvider, Guid data)
|
||||
{
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(true);
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data).ReturnsNull();
|
||||
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.DeleteAsync(data, userId));
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().DeleteAsync(default);
|
||||
}
|
||||
await sutProvider.Sut.DeleteAsync(data);
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task DeleteAccessPolicy_SmNotEnabled_Throws_NotFoundException(Guid data, Guid userId,
|
||||
SutProvider<DeleteAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(false);
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data).ReturnsNull();
|
||||
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.DeleteAsync(data, userId));
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().DeleteAsync(default);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsAdmin)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsAdmin)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsAdmin)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsUserWithPermission)]
|
||||
public async Task DeleteAccessPolicy_ProjectGrants_PermissionsCheck_Success(
|
||||
AccessPolicyType accessPolicyType,
|
||||
PermissionType permissionType,
|
||||
Guid data,
|
||||
Guid userId,
|
||||
Project grantedProject,
|
||||
Group mockGroup,
|
||||
ServiceAccount mockServiceAccount,
|
||||
SutProvider<DeleteAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(true);
|
||||
var policyToReturn =
|
||||
CreatePolicyToReturn(accessPolicyType, data, grantedProject, mockGroup, mockServiceAccount);
|
||||
SetupPermission(sutProvider, permissionType, grantedProject, userId);
|
||||
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data)
|
||||
.Returns(policyToReturn);
|
||||
|
||||
await sutProvider.Sut.DeleteAsync(data, userId);
|
||||
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1).DeleteAsync(Arg.Is(data));
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy)]
|
||||
public async Task DeleteAccessPolicy_UserProjectAccessPolicy_PermissionsCheck_ThrowsNotAuthorized(
|
||||
AccessPolicyType accessPolicyType,
|
||||
Guid data,
|
||||
Guid userId,
|
||||
Group mockGroup,
|
||||
ServiceAccount mockServiceAccount,
|
||||
Project grantedProject,
|
||||
SutProvider<DeleteAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(true);
|
||||
var policyToReturn =
|
||||
CreatePolicyToReturn(accessPolicyType, data, grantedProject, mockGroup, mockServiceAccount);
|
||||
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data)
|
||||
.Returns(policyToReturn);
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(() =>
|
||||
sutProvider.Sut.DeleteAsync(data, userId));
|
||||
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().DeleteAsync(default);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsAdmin)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsAdmin)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission)]
|
||||
public async Task DeleteAccessPolicy_ServiceAccountGrants_PermissionsCheck_Success(
|
||||
AccessPolicyType accessPolicyType,
|
||||
PermissionType permissionType,
|
||||
Guid data,
|
||||
Guid userId,
|
||||
ServiceAccount grantedServiceAccount,
|
||||
Group mockGroup,
|
||||
SutProvider<DeleteAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(true);
|
||||
var policyToReturn = CreatePolicyToReturn(accessPolicyType, data, grantedServiceAccount, mockGroup);
|
||||
SetupPermission(sutProvider, permissionType, grantedServiceAccount, userId);
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data)
|
||||
.Returns(policyToReturn);
|
||||
|
||||
await sutProvider.Sut.DeleteAsync(data, userId);
|
||||
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1).DeleteAsync(Arg.Is(data));
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy)]
|
||||
public async Task DeleteAccessPolicy_ServiceAccountGrants_PermissionsCheck_Throws(
|
||||
AccessPolicyType accessPolicyType,
|
||||
Guid data,
|
||||
Guid userId,
|
||||
ServiceAccount grantedServiceAccount,
|
||||
Group mockGroup,
|
||||
SutProvider<DeleteAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(true);
|
||||
var policyToReturn = CreatePolicyToReturn(accessPolicyType, data, grantedServiceAccount, mockGroup);
|
||||
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data)
|
||||
.Returns(policyToReturn);
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(() =>
|
||||
sutProvider.Sut.DeleteAsync(data, userId));
|
||||
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().DeleteAsync(default);
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1)
|
||||
.DeleteAsync(Arg.Is(AssertHelper.AssertPropertyEqual(data)));
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,8 +1,4 @@
|
||||
using Bit.Commercial.Core.SecretsManager.Commands.AccessPolicies;
|
||||
using Bit.Commercial.Core.Test.SecretsManager.Enums;
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.SecretsManager.Entities;
|
||||
using Bit.Core.SecretsManager.Repositories;
|
||||
@ -19,243 +15,30 @@ namespace Bit.Commercial.Core.Test.SecretsManager.Commands.AccessPolicies;
|
||||
[ProjectCustomize]
|
||||
public class UpdateAccessPolicyCommandTests
|
||||
{
|
||||
private static void SetupPermission(SutProvider<UpdateAccessPolicyCommand> sutProvider,
|
||||
PermissionType permissionType, Project grantedProject, Guid userId)
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task UpdateAsync_DoesNotExist_ThrowsNotFound(Guid data, bool read, bool write,
|
||||
SutProvider<UpdateAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
switch (permissionType)
|
||||
{
|
||||
case PermissionType.RunAsAdmin:
|
||||
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(grantedProject.OrganizationId)
|
||||
.Returns(true);
|
||||
break;
|
||||
case PermissionType.RunAsUserWithPermission:
|
||||
sutProvider.GetDependency<IProjectRepository>().AccessToProjectAsync(grantedProject.Id, userId, AccessClientType.User)
|
||||
.Returns((true, true));
|
||||
break;
|
||||
default:
|
||||
throw new ArgumentOutOfRangeException(nameof(permissionType), permissionType, null);
|
||||
}
|
||||
}
|
||||
|
||||
private static void SetupPermission(SutProvider<UpdateAccessPolicyCommand> sutProvider,
|
||||
PermissionType permissionType, ServiceAccount grantedServiceAccount, Guid userId)
|
||||
{
|
||||
switch (permissionType)
|
||||
{
|
||||
case PermissionType.RunAsAdmin:
|
||||
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(grantedServiceAccount.OrganizationId)
|
||||
.Returns(true);
|
||||
break;
|
||||
case PermissionType.RunAsUserWithPermission:
|
||||
sutProvider.GetDependency<IServiceAccountRepository>()
|
||||
.UserHasWriteAccessToServiceAccount(grantedServiceAccount.Id, userId)
|
||||
.Returns(true);
|
||||
break;
|
||||
default:
|
||||
throw new ArgumentOutOfRangeException(nameof(permissionType), permissionType, null);
|
||||
}
|
||||
}
|
||||
|
||||
private static BaseAccessPolicy CreatePolicyToReturn(AccessPolicyType accessPolicyType,
|
||||
ServiceAccount grantedServiceAccount, Guid data, Group mockGroup)
|
||||
{
|
||||
switch (accessPolicyType)
|
||||
{
|
||||
case AccessPolicyType.UserServiceAccountAccessPolicy:
|
||||
return
|
||||
new UserServiceAccountAccessPolicy
|
||||
{
|
||||
Id = data,
|
||||
Read = true,
|
||||
Write = true,
|
||||
GrantedServiceAccountId = grantedServiceAccount.Id,
|
||||
GrantedServiceAccount = grantedServiceAccount,
|
||||
};
|
||||
case AccessPolicyType.GroupServiceAccountAccessPolicy:
|
||||
mockGroup.OrganizationId = grantedServiceAccount.OrganizationId;
|
||||
return new GroupServiceAccountAccessPolicy
|
||||
{
|
||||
Id = data,
|
||||
GrantedServiceAccountId = grantedServiceAccount.Id,
|
||||
GrantedServiceAccount = grantedServiceAccount,
|
||||
Read = true,
|
||||
Write = true,
|
||||
Group = mockGroup,
|
||||
};
|
||||
default:
|
||||
throw new ArgumentOutOfRangeException(nameof(accessPolicyType), accessPolicyType, null);
|
||||
}
|
||||
}
|
||||
|
||||
private static BaseAccessPolicy CreatePolicyToReturn(AccessPolicyType accessPolicyType, Guid data,
|
||||
Project grantedProject, Group mockGroup, ServiceAccount mockServiceAccount)
|
||||
{
|
||||
switch (accessPolicyType)
|
||||
{
|
||||
case AccessPolicyType.UserProjectAccessPolicy:
|
||||
return
|
||||
new UserProjectAccessPolicy
|
||||
{
|
||||
Id = data,
|
||||
Read = true,
|
||||
Write = true,
|
||||
GrantedProjectId = grantedProject.Id,
|
||||
GrantedProject = grantedProject,
|
||||
};
|
||||
case AccessPolicyType.GroupProjectAccessPolicy:
|
||||
mockGroup.OrganizationId = grantedProject.OrganizationId;
|
||||
return
|
||||
new GroupProjectAccessPolicy
|
||||
{
|
||||
Id = data,
|
||||
GrantedProjectId = grantedProject.Id,
|
||||
Read = true,
|
||||
Write = true,
|
||||
Group = mockGroup,
|
||||
GrantedProject = grantedProject,
|
||||
};
|
||||
case AccessPolicyType.ServiceAccountProjectAccessPolicy:
|
||||
mockServiceAccount.OrganizationId = grantedProject.OrganizationId;
|
||||
return new ServiceAccountProjectAccessPolicy
|
||||
{
|
||||
Id = data,
|
||||
GrantedProjectId = grantedProject.Id,
|
||||
Read = true,
|
||||
Write = true,
|
||||
ServiceAccount = mockServiceAccount,
|
||||
GrantedProject = grantedProject,
|
||||
};
|
||||
default:
|
||||
throw new ArgumentOutOfRangeException(nameof(accessPolicyType), accessPolicyType, null);
|
||||
}
|
||||
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.UpdateAsync(data, read, write));
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().ReplaceAsync(Arg.Any<BaseAccessPolicy>());
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task UpdateAsync_Throws_NotFoundException(Guid data, bool read, bool write, Guid userId,
|
||||
public async Task UpdateAsync_Success(Guid data, bool read, bool write, UserProjectAccessPolicy accessPolicy,
|
||||
SutProvider<UpdateAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(true);
|
||||
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.UpdateAsync(data, read, write, userId));
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().ReplaceAsync(default);
|
||||
}
|
||||
accessPolicy.Id = data;
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data).Returns(accessPolicy);
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task UpdateAsync_SmNotEnabled_Throws_NotFoundException(Guid data, bool read, bool write, Guid userId,
|
||||
SutProvider<UpdateAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(false);
|
||||
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.UpdateAsync(data, read, write, userId));
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().ReplaceAsync(default);
|
||||
}
|
||||
var result = await sutProvider.Sut.UpdateAsync(data, read, write);
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsAdmin)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsAdmin)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsAdmin)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsUserWithPermission)]
|
||||
public async Task UpdateAsync_ProjectGrants_PermissionsCheck_Success(
|
||||
AccessPolicyType accessPolicyType,
|
||||
PermissionType permissionType,
|
||||
Guid data,
|
||||
bool read,
|
||||
bool write,
|
||||
Guid userId,
|
||||
Project grantedProject,
|
||||
Group mockGroup,
|
||||
ServiceAccount mockServiceAccount,
|
||||
SutProvider<UpdateAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(true);
|
||||
var policyToReturn =
|
||||
CreatePolicyToReturn(accessPolicyType, data, grantedProject, mockGroup, mockServiceAccount);
|
||||
SetupPermission(sutProvider, permissionType, grantedProject, userId);
|
||||
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data).Returns(policyToReturn);
|
||||
var result = await sutProvider.Sut.UpdateAsync(data, read, write, userId);
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1).ReplaceAsync(policyToReturn);
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1)
|
||||
.ReplaceAsync(Arg.Any<BaseAccessPolicy>());
|
||||
|
||||
AssertHelper.AssertRecent(result.RevisionDate);
|
||||
Assert.Equal(read, result.Read);
|
||||
Assert.Equal(write, result.Write);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy)]
|
||||
public async Task UpdateAsync_ProjectGrants_PermissionsCheck_Throws(
|
||||
AccessPolicyType accessPolicyType,
|
||||
Guid data,
|
||||
bool read,
|
||||
bool write,
|
||||
Guid userId,
|
||||
Project grantedProject,
|
||||
Group mockGroup,
|
||||
ServiceAccount mockServiceAccount,
|
||||
SutProvider<UpdateAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(true);
|
||||
var policyToReturn =
|
||||
CreatePolicyToReturn(accessPolicyType, data, grantedProject, mockGroup, mockServiceAccount);
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data).Returns(policyToReturn);
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(() =>
|
||||
sutProvider.Sut.UpdateAsync(data, read, write, userId));
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().ReplaceAsync(default);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsAdmin)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsAdmin)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission)]
|
||||
public async Task UpdateAsync_ServiceAccountGrants_PermissionsCheck_Success(
|
||||
AccessPolicyType accessPolicyType,
|
||||
PermissionType permissionType,
|
||||
Guid data,
|
||||
bool read,
|
||||
bool write,
|
||||
Guid userId,
|
||||
ServiceAccount grantedServiceAccount,
|
||||
Group mockGroup,
|
||||
SutProvider<UpdateAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(true);
|
||||
var policyToReturn = CreatePolicyToReturn(accessPolicyType, grantedServiceAccount, data, mockGroup);
|
||||
SetupPermission(sutProvider, permissionType, grantedServiceAccount, userId);
|
||||
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data).Returns(policyToReturn);
|
||||
var result = await sutProvider.Sut.UpdateAsync(data, read, write, userId);
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1).ReplaceAsync(policyToReturn);
|
||||
|
||||
AssertHelper.AssertRecent(result.RevisionDate);
|
||||
Assert.Equal(read, result.Read);
|
||||
Assert.Equal(write, result.Write);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy)]
|
||||
public async Task UpdateAsync_ServiceAccountGrants_PermissionsCheck_Throws(
|
||||
AccessPolicyType accessPolicyType,
|
||||
Guid data,
|
||||
bool read,
|
||||
bool write,
|
||||
Guid userId,
|
||||
ServiceAccount grantedServiceAccount,
|
||||
Group mockGroup,
|
||||
SutProvider<UpdateAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(true);
|
||||
var policyToReturn = CreatePolicyToReturn(accessPolicyType, grantedServiceAccount, data, mockGroup);
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data).Returns(policyToReturn);
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(() =>
|
||||
sutProvider.Sut.UpdateAsync(data, read, write, userId));
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().ReplaceAsync(default);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user