nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-05-20 19:14:32 -05:00
Code

[SM-473] Access Policies - Service Accounts (#2658)

Browse Source 
* Add service account access policy endpoints

* Add unit & integration tests for new endpoints

* Fix formatting on response models

* Cleanup unit tests
This commit is contained in:
Thomas Avery 2023-02-07 14:30:22 -06:00 committed by GitHub
parent cf669286ed
commit 1ee14d93e6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 1030 additions and 305 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
bitwarden_license/src/Commercial.Core/SecretsManager/Commands/AccessPolicies/CreateAccessPoliciesCommand.cs
View File

@ -12,15 +12,18 @@ public class CreateAccessPoliciesCommand : ICreateAccessPoliciesCommand
private readonly IAccessPolicyRepository _accessPolicyRepository; private readonly IAccessPolicyRepository _accessPolicyRepository;
private readonly ICurrentContext _currentContext; private readonly ICurrentContext _currentContext;
private readonly IProjectRepository _projectRepository; private readonly IProjectRepository _projectRepository;
private readonly IServiceAccountRepository _serviceAccountRepository;
public CreateAccessPoliciesCommand( public CreateAccessPoliciesCommand(
IAccessPolicyRepository accessPolicyRepository, IAccessPolicyRepository accessPolicyRepository,
ICurrentContext currentContext, ICurrentContext currentContext,
IProjectRepository projectRepository) IProjectRepository projectRepository,
IServiceAccountRepository serviceAccountRepository)
{ {
_projectRepository = projectRepository;
_accessPolicyRepository = accessPolicyRepository; _accessPolicyRepository = accessPolicyRepository;
_currentContext = currentContext; _currentContext = currentContext;
_projectRepository = projectRepository;
_serviceAccountRepository = serviceAccountRepository;
} }
public async Task<IEnumerable<BaseAccessPolicy>> CreateForProjectAsync(Guid projectId, public async Task<IEnumerable<BaseAccessPolicy>> CreateForProjectAsync(Guid projectId,
@ -32,21 +35,33 @@ public class CreateAccessPoliciesCommand : ICreateAccessPoliciesCommand
throw new NotFoundException(); throw new NotFoundException();
} }
var orgAdmin = await _currentContext.OrganizationAdmin(project.OrganizationId); await CheckPermissionAsync(project.OrganizationId, userId, projectId);
var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin); CheckForDistinctAccessPolicies(accessPolicies);
await CheckAccessPoliciesDoNotExistAsync(accessPolicies);
var hasAccess = accessClient switch await _accessPolicyRepository.CreateManyAsync(accessPolicies);
{ return await _accessPolicyRepository.GetManyByGrantedProjectIdAsync(projectId);
AccessClientType.NoAccessCheck => true, }
AccessClientType.User => await _projectRepository.UserHasWriteAccessToProject(project.Id, userId),
_ => false,
};
if (!hasAccess) public async Task<IEnumerable<BaseAccessPolicy>> CreateForServiceAccountAsync(Guid serviceAccountId,
List<BaseAccessPolicy> accessPolicies, Guid userId)
{
var serviceAccount = await _serviceAccountRepository.GetByIdAsync(serviceAccountId);
if (serviceAccount == null || !_currentContext.AccessSecretsManager(serviceAccount.OrganizationId))
{ {
throw new NotFoundException(); throw new NotFoundException();
} }
await CheckPermissionAsync(serviceAccount.OrganizationId, userId, serviceAccountIdToCheck: serviceAccountId);
CheckForDistinctAccessPolicies(accessPolicies);
await CheckAccessPoliciesDoNotExistAsync(accessPolicies);
await _accessPolicyRepository.CreateManyAsync(accessPolicies);
return await _accessPolicyRepository.GetManyByGrantedServiceAccountIdAsync(serviceAccountId);
}
private static void CheckForDistinctAccessPolicies(IReadOnlyCollection<BaseAccessPolicy> accessPolicies)
{
var distinctAccessPolicies = accessPolicies.DistinctBy(baseAccessPolicy => var distinctAccessPolicies = accessPolicies.DistinctBy(baseAccessPolicy =>
{ {
return baseAccessPolicy switch return baseAccessPolicy switch
@ -55,6 +70,9 @@ public class CreateAccessPoliciesCommand : ICreateAccessPoliciesCommand
GroupProjectAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.GroupId, ap.GrantedProjectId), GroupProjectAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.GroupId, ap.GrantedProjectId),
ServiceAccountProjectAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.ServiceAccountId, ServiceAccountProjectAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.ServiceAccountId,
ap.GrantedProjectId), ap.GrantedProjectId),
UserServiceAccountAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.OrganizationUserId,
ap.GrantedServiceAccountId),
GroupServiceAccountAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.GroupId, ap.GrantedServiceAccountId),
_ => throw new ArgumentException("Unsupported access policy type provided.", nameof(baseAccessPolicy)), _ => throw new ArgumentException("Unsupported access policy type provided.", nameof(baseAccessPolicy)),
}; };
}).ToList(); }).ToList();
@ -63,7 +81,10 @@ public class CreateAccessPoliciesCommand : ICreateAccessPoliciesCommand
{ {
throw new BadRequestException("Resources must be unique"); throw new BadRequestException("Resources must be unique");
} }
}
private async Task CheckAccessPoliciesDoNotExistAsync(List<BaseAccessPolicy> accessPolicies)
{
foreach (var accessPolicy in accessPolicies) foreach (var accessPolicy in accessPolicies)
{ {
if (await _accessPolicyRepository.AccessPolicyExists(accessPolicy)) if (await _accessPolicyRepository.AccessPolicyExists(accessPolicy))
@ -71,7 +92,46 @@ public class CreateAccessPoliciesCommand : ICreateAccessPoliciesCommand
throw new BadRequestException("Resource already exists"); throw new BadRequestException("Resource already exists");
} }
} }
await _accessPolicyRepository.CreateManyAsync(accessPolicies); }
return await _accessPolicyRepository.GetManyByGrantedProjectIdAsync(projectId);
private async Task CheckPermissionAsync(Guid organizationId,
Guid userId,
Guid? projectIdToCheck = null,
Guid? serviceAccountIdToCheck = null)
{
var orgAdmin = await _currentContext.OrganizationAdmin(organizationId);
var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
bool hasAccess;
switch (accessClient)
{
case AccessClientType.NoAccessCheck:
hasAccess = true;
break;
case AccessClientType.User:
if (projectIdToCheck != null)
{
hasAccess = await _projectRepository.UserHasWriteAccessToProject(projectIdToCheck.Value, userId);
}
else if (serviceAccountIdToCheck != null)
{
hasAccess = await _serviceAccountRepository.UserHasWriteAccessToServiceAccount(
serviceAccountIdToCheck.Value,
userId);
}
else
{
hasAccess = false;
}
break;
default:
hasAccess = false;
break;
}
if (!hasAccess)
{
throw new NotFoundException();
}
} }
} }

246
bitwarden_license/src/Commercial.Infrastructure.EntityFramework/SecretsManager/Repositories/AccessPolicyRepository.cs
View File

@ -16,152 +16,152 @@ public class AccessPolicyRepository : BaseEntityFrameworkRepository, IAccessPoli
public async Task<List<Core.SecretsManager.Entities.BaseAccessPolicy>> CreateManyAsync(List<Core.SecretsManager.Entities.BaseAccessPolicy> baseAccessPolicies) public async Task<List<Core.SecretsManager.Entities.BaseAccessPolicy>> CreateManyAsync(List<Core.SecretsManager.Entities.BaseAccessPolicy> baseAccessPolicies)
{ {
using (var scope = ServiceScopeFactory.CreateScope()) using var scope = ServiceScopeFactory.CreateScope();
var dbContext = GetDatabaseContext(scope);
foreach (var baseAccessPolicy in baseAccessPolicies)
{ {
var dbContext = GetDatabaseContext(scope); baseAccessPolicy.SetNewId();
foreach (var baseAccessPolicy in baseAccessPolicies)
{
baseAccessPolicy.SetNewId();
switch (baseAccessPolicy)
{
case Core.SecretsManager.Entities.UserProjectAccessPolicy accessPolicy:
{
var entity =
Mapper.Map<UserProjectAccessPolicy>(accessPolicy);
await dbContext.AddAsync(entity);
break;
}
case Core.SecretsManager.Entities.UserServiceAccountAccessPolicy accessPolicy:
{
var entity =
Mapper.Map<UserServiceAccountAccessPolicy>(accessPolicy);
await dbContext.AddAsync(entity);
break;
}
case Core.SecretsManager.Entities.GroupProjectAccessPolicy accessPolicy:
{
var entity = Mapper.Map<GroupProjectAccessPolicy>(accessPolicy);
await dbContext.AddAsync(entity);
break;
}
case Core.SecretsManager.Entities.GroupServiceAccountAccessPolicy accessPolicy:
{
var entity = Mapper.Map<GroupServiceAccountAccessPolicy>(accessPolicy);
await dbContext.AddAsync(entity);
break;
}
case Core.SecretsManager.Entities.ServiceAccountProjectAccessPolicy accessPolicy:
{
var entity = Mapper.Map<ServiceAccountProjectAccessPolicy>(accessPolicy);
await dbContext.AddAsync(entity);
break;
}
}
}
await dbContext.SaveChangesAsync();
return baseAccessPolicies;
}
}
public async Task<bool> AccessPolicyExists(Core.SecretsManager.Entities.BaseAccessPolicy baseAccessPolicy)
{
using (var scope = ServiceScopeFactory.CreateScope())
{
var dbContext = GetDatabaseContext(scope);
switch (baseAccessPolicy) switch (baseAccessPolicy)
{ {
case Core.SecretsManager.Entities.UserProjectAccessPolicy accessPolicy: case Core.SecretsManager.Entities.UserProjectAccessPolicy accessPolicy:
{ {
var policy = await dbContext.UserProjectAccessPolicy var entity =
.Where(c => c.OrganizationUserId == accessPolicy.OrganizationUserId && Mapper.Map<UserProjectAccessPolicy>(accessPolicy);
c.GrantedProjectId == accessPolicy.GrantedProjectId) await dbContext.AddAsync(entity);
.FirstOrDefaultAsync(); break;
return policy != null; }
case Core.SecretsManager.Entities.UserServiceAccountAccessPolicy accessPolicy:
{
var entity =
Mapper.Map<UserServiceAccountAccessPolicy>(accessPolicy);
await dbContext.AddAsync(entity);
break;
} }
case Core.SecretsManager.Entities.GroupProjectAccessPolicy accessPolicy: case Core.SecretsManager.Entities.GroupProjectAccessPolicy accessPolicy:
{ {
var policy = await dbContext.GroupProjectAccessPolicy var entity = Mapper.Map<GroupProjectAccessPolicy>(accessPolicy);
.Where(c => c.GroupId == accessPolicy.GroupId && await dbContext.AddAsync(entity);
c.GrantedProjectId == accessPolicy.GrantedProjectId) break;
.FirstOrDefaultAsync(); }
return policy != null; case Core.SecretsManager.Entities.GroupServiceAccountAccessPolicy accessPolicy:
{
var entity = Mapper.Map<GroupServiceAccountAccessPolicy>(accessPolicy);
await dbContext.AddAsync(entity);
break;
} }
case Core.SecretsManager.Entities.ServiceAccountProjectAccessPolicy accessPolicy: case Core.SecretsManager.Entities.ServiceAccountProjectAccessPolicy accessPolicy:
{ {
var policy = await dbContext.ServiceAccountProjectAccessPolicy var entity = Mapper.Map<ServiceAccountProjectAccessPolicy>(accessPolicy);
.Where(c => c.ServiceAccountId == accessPolicy.ServiceAccountId && await dbContext.AddAsync(entity);
c.GrantedProjectId == accessPolicy.GrantedProjectId) break;
.FirstOrDefaultAsync();
return policy != null;
} }
default:
throw new ArgumentException("Unsupported access policy type provided.", nameof(baseAccessPolicy));
} }
} }
await dbContext.SaveChangesAsync();
return baseAccessPolicies;
}
public async Task<bool> AccessPolicyExists(Core.SecretsManager.Entities.BaseAccessPolicy baseAccessPolicy)
{
using var scope = ServiceScopeFactory.CreateScope();
var dbContext = GetDatabaseContext(scope);
switch (baseAccessPolicy)
{
case Core.SecretsManager.Entities.UserProjectAccessPolicy accessPolicy:
{
var policy = await dbContext.UserProjectAccessPolicy
.Where(c => c.OrganizationUserId == accessPolicy.OrganizationUserId &&
c.GrantedProjectId == accessPolicy.GrantedProjectId)
.FirstOrDefaultAsync();
return policy != null;
}
case Core.SecretsManager.Entities.GroupProjectAccessPolicy accessPolicy:
{
var policy = await dbContext.GroupProjectAccessPolicy
.Where(c => c.GroupId == accessPolicy.GroupId &&
c.GrantedProjectId == accessPolicy.GrantedProjectId)
.FirstOrDefaultAsync();
return policy != null;
}
case Core.SecretsManager.Entities.ServiceAccountProjectAccessPolicy accessPolicy:
{
var policy = await dbContext.ServiceAccountProjectAccessPolicy
.Where(c => c.ServiceAccountId == accessPolicy.ServiceAccountId &&
c.GrantedProjectId == accessPolicy.GrantedProjectId)
.FirstOrDefaultAsync();
return policy != null;
}
case Core.SecretsManager.Entities.UserServiceAccountAccessPolicy accessPolicy:
{
var policy = await dbContext.UserServiceAccountAccessPolicy
.Where(c => c.OrganizationUserId == accessPolicy.OrganizationUserId &&
c.GrantedServiceAccountId == accessPolicy.GrantedServiceAccountId)
.FirstOrDefaultAsync();
return policy != null;
}
case Core.SecretsManager.Entities.GroupServiceAccountAccessPolicy accessPolicy:
{
var policy = await dbContext.GroupServiceAccountAccessPolicy
.Where(c => c.GroupId == accessPolicy.GroupId &&
c.GrantedServiceAccountId == accessPolicy.GrantedServiceAccountId)
.FirstOrDefaultAsync();
return policy != null;
}
default:
throw new ArgumentException("Unsupported access policy type provided.", nameof(baseAccessPolicy));
}
} }
public async Task<Core.SecretsManager.Entities.BaseAccessPolicy?> GetByIdAsync(Guid id) public async Task<Core.SecretsManager.Entities.BaseAccessPolicy?> GetByIdAsync(Guid id)
{ {
using (var scope = ServiceScopeFactory.CreateScope()) using var scope = ServiceScopeFactory.CreateScope();
{ var dbContext = GetDatabaseContext(scope);
var dbContext = GetDatabaseContext(scope); var entity = await dbContext.AccessPolicies.Where(ap => ap.Id == id)
var entity = await dbContext.AccessPolicies.Where(ap => ap.Id == id) .Include(ap => ((UserProjectAccessPolicy)ap).OrganizationUser.User)
.Include(ap => ((UserProjectAccessPolicy)ap).OrganizationUser.User) .Include(ap => ((UserProjectAccessPolicy)ap).GrantedProject)
.Include(ap => ((UserProjectAccessPolicy)ap).GrantedProject) .Include(ap => ((GroupProjectAccessPolicy)ap).Group)
.Include(ap => ((GroupProjectAccessPolicy)ap).Group) .Include(ap => ((GroupProjectAccessPolicy)ap).GrantedProject)
.Include(ap => ((GroupProjectAccessPolicy)ap).GrantedProject) .Include(ap => ((ServiceAccountProjectAccessPolicy)ap).ServiceAccount)
.Include(ap => ((ServiceAccountProjectAccessPolicy)ap).ServiceAccount) .Include(ap => ((ServiceAccountProjectAccessPolicy)ap).GrantedProject)
.Include(ap => ((ServiceAccountProjectAccessPolicy)ap).GrantedProject) .Include(ap => ((UserServiceAccountAccessPolicy)ap).OrganizationUser.User)
.Include(ap => ((UserServiceAccountAccessPolicy)ap).OrganizationUser.User) .Include(ap => ((UserServiceAccountAccessPolicy)ap).GrantedServiceAccount)
.Include(ap => ((UserServiceAccountAccessPolicy)ap).GrantedServiceAccount) .Include(ap => ((GroupServiceAccountAccessPolicy)ap).Group)
.Include(ap => ((GroupServiceAccountAccessPolicy)ap).Group) .Include(ap => ((GroupServiceAccountAccessPolicy)ap).GrantedServiceAccount)
.Include(ap => ((GroupServiceAccountAccessPolicy)ap).GrantedServiceAccount) .FirstOrDefaultAsync();
.FirstOrDefaultAsync();
if (entity == null) return entity == null ? null : MapToCore(entity);
{
return null;
}
return MapToCore(entity);
}
} }
public async Task ReplaceAsync(Core.SecretsManager.Entities.BaseAccessPolicy baseAccessPolicy) public async Task ReplaceAsync(Core.SecretsManager.Entities.BaseAccessPolicy baseAccessPolicy)
{ {
using (var scope = ServiceScopeFactory.CreateScope()) using var scope = ServiceScopeFactory.CreateScope();
var dbContext = GetDatabaseContext(scope);
var entity = await dbContext.AccessPolicies.FindAsync(baseAccessPolicy.Id);
if (entity != null)
{ {
var dbContext = GetDatabaseContext(scope); dbContext.AccessPolicies.Attach(entity);
var entity = await dbContext.AccessPolicies.FindAsync(baseAccessPolicy.Id); entity.Write = baseAccessPolicy.Write;
if (entity != null) entity.Read = baseAccessPolicy.Read;
{ entity.RevisionDate = baseAccessPolicy.RevisionDate;
dbContext.AccessPolicies.Attach(entity); await dbContext.SaveChangesAsync();
entity.Write = baseAccessPolicy.Write;
entity.Read = baseAccessPolicy.Read;
entity.RevisionDate = baseAccessPolicy.RevisionDate;
await dbContext.SaveChangesAsync();
}
} }
} }
public async Task<IEnumerable<Core.SecretsManager.Entities.BaseAccessPolicy>> GetManyByGrantedProjectIdAsync(Guid id) public async Task<IEnumerable<Core.SecretsManager.Entities.BaseAccessPolicy>> GetManyByGrantedProjectIdAsync(Guid id)
{ {
using (var scope = ServiceScopeFactory.CreateScope()) using var scope = ServiceScopeFactory.CreateScope();
{ var dbContext = GetDatabaseContext(scope);
var dbContext = GetDatabaseContext(scope);
var entities = await dbContext.AccessPolicies.Where(ap => var entities = await dbContext.AccessPolicies.Where(ap =>
((UserProjectAccessPolicy)ap).GrantedProjectId == id || ((UserProjectAccessPolicy)ap).GrantedProjectId == id ||
((GroupProjectAccessPolicy)ap).GrantedProjectId == id || ((GroupProjectAccessPolicy)ap).GrantedProjectId == id ||
((ServiceAccountProjectAccessPolicy)ap).GrantedProjectId == id) ((ServiceAccountProjectAccessPolicy)ap).GrantedProjectId == id)
.Include(ap => ((UserProjectAccessPolicy)ap).OrganizationUser.User) .Include(ap => ((UserProjectAccessPolicy)ap).OrganizationUser.User)
.Include(ap => ((GroupProjectAccessPolicy)ap).Group) .Include(ap => ((GroupProjectAccessPolicy)ap).Group)
.Include(ap => ((ServiceAccountProjectAccessPolicy)ap).ServiceAccount) .Include(ap => ((ServiceAccountProjectAccessPolicy)ap).ServiceAccount)
.ToListAsync(); .ToListAsync();
return entities.Select(MapToCore);
return entities.Select(MapToCore);
}
} }
public async Task<IEnumerable<Core.SecretsManager.Entities.BaseAccessPolicy>> GetManyByGrantedServiceAccountIdAsync(Guid id) public async Task<IEnumerable<Core.SecretsManager.Entities.BaseAccessPolicy>> GetManyByGrantedServiceAccountIdAsync(Guid id)
@ -181,15 +181,13 @@ public class AccessPolicyRepository : BaseEntityFrameworkRepository, IAccessPoli
public async Task DeleteAsync(Guid id) public async Task DeleteAsync(Guid id)
{ {
using (var scope = ServiceScopeFactory.CreateScope()) using var scope = ServiceScopeFactory.CreateScope();
var dbContext = GetDatabaseContext(scope);
var entity = await dbContext.AccessPolicies.FindAsync(id);
if (entity != null)
{ {
var dbContext = GetDatabaseContext(scope); dbContext.Remove(entity);
var entity = await dbContext.AccessPolicies.FindAsync(id); await dbContext.SaveChangesAsync();
if (entity != null)
{
dbContext.Remove(entity);
await dbContext.SaveChangesAsync();
}
} }
} }

347
bitwarden_license/test/Commercial.Core.Test/SecretsManager/AccessPolicies/CreateAccessPoliciesCommandTests.cs
View File

@ -17,9 +17,127 @@ namespace Bit.Commercial.Core.Test.SecretsManager.AccessPolicies;
[ProjectCustomize] [ProjectCustomize]
public class CreateAccessPoliciesCommandTests public class CreateAccessPoliciesCommandTests
{ {
private static List<BaseAccessPolicy> MakeDuplicate(List<BaseAccessPolicy> data, AccessPolicyType accessPolicyType)
{
switch (accessPolicyType)
{
case AccessPolicyType.UserProjectAccessPolicy:
{
var mockAccessPolicy = new UserProjectAccessPolicy
{
OrganizationUserId = Guid.NewGuid(),
GrantedProjectId = Guid.NewGuid(),
};
data.Add(mockAccessPolicy);
// Add a duplicate policy
data.Add(mockAccessPolicy);
break;
}
case AccessPolicyType.GroupProjectAccessPolicy:
{
var mockAccessPolicy = new GroupProjectAccessPolicy
{
GroupId = Guid.NewGuid(),
GrantedProjectId = Guid.NewGuid(),
};
data.Add(mockAccessPolicy);
// Add a duplicate policy
data.Add(mockAccessPolicy);
break;
}
case AccessPolicyType.ServiceAccountProjectAccessPolicy:
{
var mockAccessPolicy = new ServiceAccountProjectAccessPolicy
{
ServiceAccountId = Guid.NewGuid(),
GrantedProjectId = Guid.NewGuid(),
};
data.Add(mockAccessPolicy);
// Add a duplicate policy
data.Add(mockAccessPolicy);
break;
}
case AccessPolicyType.UserServiceAccountAccessPolicy:
{
var mockAccessPolicy = new UserServiceAccountAccessPolicy
{
OrganizationUserId = Guid.NewGuid(),
GrantedServiceAccountId = Guid.NewGuid(),
};
data.Add(mockAccessPolicy);
// Add a duplicate policy
data.Add(mockAccessPolicy);
break;
}
case AccessPolicyType.GroupServiceAccountAccessPolicy:
{
var mockAccessPolicy = new GroupServiceAccountAccessPolicy
{
GroupId = Guid.NewGuid(),
GrantedServiceAccountId = Guid.NewGuid(),
};
data.Add(mockAccessPolicy);
// Add a duplicate policy
data.Add(mockAccessPolicy);
break;
}
}
return data;
}
private static void SetupAdmin(SutProvider<CreateAccessPoliciesCommand> sutProvider, Guid organizationId)
{
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(organizationId).Returns(true);
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(organizationId).Returns(true);
}
private static void SetupUser(SutProvider<CreateAccessPoliciesCommand> sutProvider, Guid organizationId)
{
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(organizationId).Returns(true);
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(organizationId).Returns(false);
}
private static void SetupPermission(SutProvider<CreateAccessPoliciesCommand> sutProvider,
PermissionType permissionType, Project project, Guid userId)
{
switch (permissionType)
{
case PermissionType.RunAsAdmin:
SetupAdmin(sutProvider, project.OrganizationId);
break;
case PermissionType.RunAsUserWithPermission:
SetupUser(sutProvider, project.OrganizationId);
sutProvider.GetDependency<IProjectRepository>().UserHasWriteAccessToProject(project.Id, userId)
.Returns(true);
break;
}
}
private static void SetupPermission(SutProvider<CreateAccessPoliciesCommand> sutProvider,
PermissionType permissionType, ServiceAccount serviceAccount, Guid userId)
{
switch (permissionType)
{
case PermissionType.RunAsAdmin:
SetupAdmin(sutProvider, serviceAccount.OrganizationId);
break;
case PermissionType.RunAsUserWithPermission:
SetupUser(sutProvider, serviceAccount.OrganizationId);
sutProvider.GetDependency<IServiceAccountRepository>()
.UserHasWriteAccessToServiceAccount(serviceAccount.Id, userId).Returns(true);
break;
}
}
[Theory] [Theory]
[BitAutoData] [BitAutoData]
public async Task CreateAsync_SmNotEnabled_Throws( public async Task CreateForProject_SmNotEnabled_Throws(
Guid userId, Guid userId,
Project project, Project project,
List<UserProjectAccessPolicy> userProjectAccessPolicies, List<UserProjectAccessPolicy> userProjectAccessPolicies,
@ -42,7 +160,7 @@ public class CreateAccessPoliciesCommandTests
[Theory] [Theory]
[BitAutoData] [BitAutoData]
public async Task CreateAsync_AlreadyExists_Throws_BadRequestException( public async Task CreateForProject_AlreadyExists_Throws_BadRequestException(
Guid userId, Guid userId,
Project project, Project project,
List<UserProjectAccessPolicy> userProjectAccessPolicies, List<UserProjectAccessPolicy> userProjectAccessPolicies,
@ -55,10 +173,8 @@ public class CreateAccessPoliciesCommandTests
data.AddRange(groupProjectAccessPolicies); data.AddRange(groupProjectAccessPolicies);
data.AddRange(serviceAccountProjectAccessPolicies); data.AddRange(serviceAccountProjectAccessPolicies);
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(true); SetupAdmin(sutProvider, project.OrganizationId);
sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(project.Id).Returns(project); sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(project.Id).Returns(project);
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(project.OrganizationId).Returns(true);
sutProvider.GetDependency<IAccessPolicyRepository>().AccessPolicyExists(Arg.Any<BaseAccessPolicy>()) sutProvider.GetDependency<IAccessPolicyRepository>().AccessPolicyExists(Arg.Any<BaseAccessPolicy>())
.Returns(true); .Returns(true);
@ -69,17 +185,13 @@ public class CreateAccessPoliciesCommandTests
} }
[Theory] [Theory]
[BitAutoData(true, false, false)] [BitAutoData(AccessPolicyType.UserProjectAccessPolicy)]
[BitAutoData(false, true, false)] [BitAutoData(AccessPolicyType.GroupProjectAccessPolicy)]
[BitAutoData(true, true, false)] [BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy)]
[BitAutoData(false, false, true)] [BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy)]
[BitAutoData(true, false, true)] [BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy)]
[BitAutoData(false, true, true)] public async Task CreateForProjectAsync_NotUnique_ThrowsException(
[BitAutoData(true, true, true)] AccessPolicyType accessPolicyType,
public async Task CreateAsync_NotUnique_ThrowsException(
bool testUserPolicies,
bool testGroupPolicies,
bool testServiceAccountPolicies,
Guid userId, Guid userId,
Project project, Project project,
List<UserProjectAccessPolicy> userProjectAccessPolicies, List<UserProjectAccessPolicy> userProjectAccessPolicies,
@ -92,64 +204,24 @@ public class CreateAccessPoliciesCommandTests
data.AddRange(userProjectAccessPolicies); data.AddRange(userProjectAccessPolicies);
data.AddRange(groupProjectAccessPolicies); data.AddRange(groupProjectAccessPolicies);
data.AddRange(serviceAccountProjectAccessPolicies); data.AddRange(serviceAccountProjectAccessPolicies);
data = MakeDuplicate(data, accessPolicyType);
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(true); SetupAdmin(sutProvider, project.OrganizationId);
sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(project.Id).Returns(project); sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(project.Id).Returns(project);
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(project.OrganizationId).Returns(true);
if (testUserPolicies)
{
var mockUserPolicy = new UserProjectAccessPolicy
{
OrganizationUserId = Guid.NewGuid(),
GrantedProjectId = Guid.NewGuid(),
};
data.Add(mockUserPolicy);
// Add a duplicate policy
data.Add(mockUserPolicy);
}
if (testGroupPolicies)
{
var mockGroupPolicy = new GroupProjectAccessPolicy
{
GroupId = Guid.NewGuid(),
GrantedProjectId = Guid.NewGuid(),
};
data.Add(mockGroupPolicy);
// Add a duplicate policy
data.Add(mockGroupPolicy);
}
if (testServiceAccountPolicies)
{
var mockServiceAccountPolicy = new ServiceAccountProjectAccessPolicy
{
ServiceAccountId = Guid.NewGuid(),
GrantedProjectId = Guid.NewGuid(),
};
data.Add(mockServiceAccountPolicy);
// Add a duplicate policy
data.Add(mockServiceAccountPolicy);
}
sutProvider.GetDependency<IAccessPolicyRepository>().AccessPolicyExists(Arg.Any<BaseAccessPolicy>()) sutProvider.GetDependency<IAccessPolicyRepository>().AccessPolicyExists(Arg.Any<BaseAccessPolicy>())
.Returns(true); .Returns(true);
await Assert.ThrowsAsync<BadRequestException>(() => await Assert.ThrowsAsync<BadRequestException>(() =>
sutProvider.Sut.CreateForProjectAsync(project.Id, data, userId)); sutProvider.Sut.CreateForProjectAsync(project.Id, data, userId));
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().CreateManyAsync(default); await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs()
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>());
} }
[Theory] [Theory]
[BitAutoData(PermissionType.RunAsAdmin)] [BitAutoData(PermissionType.RunAsAdmin)]
[BitAutoData(PermissionType.RunAsUserWithPermission)] [BitAutoData(PermissionType.RunAsUserWithPermission)]
public async Task CreateAsync_Success( public async Task CreateForProject_Success(
PermissionType permissionType, PermissionType permissionType,
Guid userId, Guid userId,
Project project, Project project,
@ -163,18 +235,8 @@ public class CreateAccessPoliciesCommandTests
data.AddRange(groupProjectAccessPolicies); data.AddRange(groupProjectAccessPolicies);
data.AddRange(serviceAccountProjectAccessPolicies); data.AddRange(serviceAccountProjectAccessPolicies);
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(true);
sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(project.Id).Returns(project); sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(project.Id).Returns(project);
SetupPermission(sutProvider, permissionType, project, userId);
switch (permissionType)
{
case PermissionType.RunAsAdmin:
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(project.OrganizationId).Returns(true);
break;
case PermissionType.RunAsUserWithPermission:
sutProvider.GetDependency<IProjectRepository>().UserHasWriteAccessToProject(project.Id, userId).Returns(true);
break;
}
await sutProvider.Sut.CreateForProjectAsync(project.Id, data, userId); await sutProvider.Sut.CreateForProjectAsync(project.Id, data, userId);
@ -184,7 +246,7 @@ public class CreateAccessPoliciesCommandTests
[Theory] [Theory]
[BitAutoData] [BitAutoData]
public async Task CreateAsync_User_NoPermission( public async Task CreateForProject_UserNoPermission_ThrowsNotFound(
Guid userId, Guid userId,
Project project, Project project,
List<UserProjectAccessPolicy> userProjectAccessPolicies, List<UserProjectAccessPolicy> userProjectAccessPolicies,
@ -197,13 +259,148 @@ public class CreateAccessPoliciesCommandTests
data.AddRange(groupProjectAccessPolicies); data.AddRange(groupProjectAccessPolicies);
data.AddRange(serviceAccountProjectAccessPolicies); data.AddRange(serviceAccountProjectAccessPolicies);
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(true); SetupUser(sutProvider, project.OrganizationId);
sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(project.Id).Returns(project);
sutProvider.GetDependency<IProjectRepository>().UserHasWriteAccessToProject(project.Id, userId).Returns(false); sutProvider.GetDependency<IProjectRepository>().UserHasWriteAccessToProject(project.Id, userId).Returns(false);
sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(project.Id).Returns(project);
await Assert.ThrowsAsync<NotFoundException>(() => await Assert.ThrowsAsync<NotFoundException>(() =>
sutProvider.Sut.CreateForProjectAsync(project.Id, data, userId)); sutProvider.Sut.CreateForProjectAsync(project.Id, data, userId));
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().CreateManyAsync(default); await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().CreateManyAsync(default);
} }
[Theory]
[BitAutoData]
public async Task CreateForServiceAccount_SmNotEnabled_Throws(
Guid userId,
ServiceAccount serviceAccount,
List<UserProjectAccessPolicy> userProjectAccessPolicies,
List<GroupProjectAccessPolicy> groupProjectAccessPolicies,
List<ServiceAccountProjectAccessPolicy> serviceAccountProjectAccessPolicies,
SutProvider<CreateAccessPoliciesCommand> sutProvider)
{
var data = new List<BaseAccessPolicy>();
data.AddRange(userProjectAccessPolicies);
data.AddRange(groupProjectAccessPolicies);
data.AddRange(serviceAccountProjectAccessPolicies);
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(false);
await Assert.ThrowsAsync<NotFoundException>(() =>
sutProvider.Sut.CreateForServiceAccountAsync(serviceAccount.Id, data, userId));
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs()
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>());
}
[Theory]
[BitAutoData]
public async Task CreateForServiceAccount_AlreadyExists_ThrowsBadRequestException(
Guid userId,
ServiceAccount serviceAccount,
List<UserProjectAccessPolicy> userProjectAccessPolicies,
List<GroupProjectAccessPolicy> groupProjectAccessPolicies,
List<ServiceAccountProjectAccessPolicy> serviceAccountProjectAccessPolicies,
SutProvider<CreateAccessPoliciesCommand> sutProvider)
{
var data = new List<BaseAccessPolicy>();
data.AddRange(userProjectAccessPolicies);
data.AddRange(groupProjectAccessPolicies);
data.AddRange(serviceAccountProjectAccessPolicies);
SetupAdmin(sutProvider, serviceAccount.OrganizationId);
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(serviceAccount.Id).Returns(serviceAccount);
sutProvider.GetDependency<IAccessPolicyRepository>().AccessPolicyExists(Arg.Any<BaseAccessPolicy>())
.Returns(true);
await Assert.ThrowsAsync<BadRequestException>(() =>
sutProvider.Sut.CreateForServiceAccountAsync(serviceAccount.Id, data, userId));
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs()
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>());
}
[Theory]
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy)]
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy)]
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy)]
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy)]
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy)]
public async Task CreateForServiceAccount_NotUnique_Throws(
AccessPolicyType accessPolicyType,
Guid userId,
ServiceAccount serviceAccount,
List<UserProjectAccessPolicy> userProjectAccessPolicies,
List<GroupProjectAccessPolicy> groupProjectAccessPolicies,
List<ServiceAccountProjectAccessPolicy> serviceAccountProjectAccessPolicies,
SutProvider<CreateAccessPoliciesCommand> sutProvider
)
{
var data = new List<BaseAccessPolicy>();
data.AddRange(userProjectAccessPolicies);
data.AddRange(groupProjectAccessPolicies);
data.AddRange(serviceAccountProjectAccessPolicies);
data = MakeDuplicate(data, accessPolicyType);
SetupAdmin(sutProvider, serviceAccount.OrganizationId);
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(serviceAccount.Id).Returns(serviceAccount);
sutProvider.GetDependency<IAccessPolicyRepository>().AccessPolicyExists(Arg.Any<BaseAccessPolicy>())
.Returns(true);
await Assert.ThrowsAsync<BadRequestException>(() =>
sutProvider.Sut.CreateForServiceAccountAsync(serviceAccount.Id, data, userId));
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs()
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>());
}
[Theory]
[BitAutoData(PermissionType.RunAsAdmin)]
[BitAutoData(PermissionType.RunAsUserWithPermission)]
public async Task CreateForServiceAccount_Success(
PermissionType permissionType,
Guid userId,
ServiceAccount serviceAccount,
List<UserServiceAccountAccessPolicy> userServiceAccountAccessPolicies,
List<GroupServiceAccountAccessPolicy> groupServiceAccountAccessPolicies,
SutProvider<CreateAccessPoliciesCommand> sutProvider)
{
var data = new List<BaseAccessPolicy>();
data.AddRange(userServiceAccountAccessPolicies);
data.AddRange(groupServiceAccountAccessPolicies);
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(serviceAccount.Id).Returns(serviceAccount);
SetupPermission(sutProvider, permissionType, serviceAccount, userId);
await sutProvider.Sut.CreateForServiceAccountAsync(serviceAccount.Id, data, userId);
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1)
.CreateManyAsync(Arg.Is(AssertHelper.AssertPropertyEqual(data)));
}
[Theory]
[BitAutoData]
public async Task CreateForServiceAccount_UserWithoutPermission_ThrowsNotFound(
Guid userId,
ServiceAccount serviceAccount,
List<UserServiceAccountAccessPolicy> userServiceAccountAccessPolicies,
List<GroupServiceAccountAccessPolicy> groupServiceAccountAccessPolicies,
SutProvider<CreateAccessPoliciesCommand> sutProvider)
{
var data = new List<BaseAccessPolicy>();
data.AddRange(userServiceAccountAccessPolicies);
data.AddRange(groupServiceAccountAccessPolicies);
SetupUser(sutProvider, serviceAccount.OrganizationId);
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(serviceAccount.Id).Returns(serviceAccount);
sutProvider.GetDependency<IServiceAccountRepository>()
.UserHasWriteAccessToServiceAccount(serviceAccount.Id, userId).Returns(false);
await Assert.ThrowsAsync<NotFoundException>(() =>
sutProvider.Sut.CreateForServiceAccountAsync(serviceAccount.Id, data, userId));
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs()
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>());
}
} }

47
src/Api/SecretsManager/Controllers/AccessPoliciesController.cs
View File

@ -20,13 +20,13 @@ namespace Bit.Api.SecretsManager.Controllers;
public class AccessPoliciesController : Controller public class AccessPoliciesController : Controller
{ {
private readonly IAccessPolicyRepository _accessPolicyRepository; private readonly IAccessPolicyRepository _accessPolicyRepository;
private readonly IServiceAccountRepository _serviceAccountRepository;
private readonly ICreateAccessPoliciesCommand _createAccessPoliciesCommand; private readonly ICreateAccessPoliciesCommand _createAccessPoliciesCommand;
private readonly ICurrentContext _currentContext; private readonly ICurrentContext _currentContext;
private readonly IDeleteAccessPolicyCommand _deleteAccessPolicyCommand; private readonly IDeleteAccessPolicyCommand _deleteAccessPolicyCommand;
private readonly IGroupRepository _groupRepository; private readonly IGroupRepository _groupRepository;
private readonly IOrganizationUserRepository _organizationUserRepository; private readonly IOrganizationUserRepository _organizationUserRepository;
private readonly IProjectRepository _projectRepository; private readonly IProjectRepository _projectRepository;
private readonly IServiceAccountRepository _serviceAccountRepository;
private readonly IUpdateAccessPolicyCommand _updateAccessPolicyCommand; private readonly IUpdateAccessPolicyCommand _updateAccessPolicyCommand;
private readonly IUserService _userService; private readonly IUserService _userService;
@ -74,6 +74,26 @@ public class AccessPoliciesController : Controller
return new ProjectAccessPoliciesResponseModel(results); return new ProjectAccessPoliciesResponseModel(results);
} }
[HttpPost("/service-accounts/{id}/access-policies")]
public async Task<ServiceAccountAccessPoliciesResponseModel> CreateServiceAccountAccessPoliciesAsync([FromRoute] Guid id,
[FromBody] AccessPoliciesCreateRequest request)
{
var userId = _userService.GetProperUserId(User).Value;
var policies = request.ToBaseAccessPoliciesForServiceAccount(id);
var results = await _createAccessPoliciesCommand.CreateForServiceAccountAsync(id, policies, userId);
return new ServiceAccountAccessPoliciesResponseModel(results);
}
[HttpGet("/service-accounts/{id}/access-policies")]
public async Task<ServiceAccountAccessPoliciesResponseModel> GetServiceAccountAccessPoliciesAsync([FromRoute] Guid id)
{
var serviceAccount = await _serviceAccountRepository.GetByIdAsync(id);
await CheckUserHasWriteAccessToServiceAccountAsync(serviceAccount);
var results = await _accessPolicyRepository.GetManyByGrantedServiceAccountIdAsync(id);
return new ServiceAccountAccessPoliciesResponseModel(results);
}
[HttpPut("{id}")] [HttpPut("{id}")]
public async Task<BaseAccessPolicyResponseModel> UpdateAccessPolicyAsync([FromRoute] Guid id, public async Task<BaseAccessPolicyResponseModel> UpdateAccessPolicyAsync([FromRoute] Guid id,
[FromBody] AccessPolicyUpdateRequest request) [FromBody] AccessPolicyUpdateRequest request)
@ -84,7 +104,9 @@ public class AccessPoliciesController : Controller
return result switch return result switch
{ {
UserProjectAccessPolicy accessPolicy => new UserProjectAccessPolicyResponseModel(accessPolicy), UserProjectAccessPolicy accessPolicy => new UserProjectAccessPolicyResponseModel(accessPolicy),
UserServiceAccountAccessPolicy accessPolicy => new UserServiceAccountAccessPolicyResponseModel(accessPolicy),
GroupProjectAccessPolicy accessPolicy => new GroupProjectAccessPolicyResponseModel(accessPolicy), GroupProjectAccessPolicy accessPolicy => new GroupProjectAccessPolicyResponseModel(accessPolicy),
GroupServiceAccountAccessPolicy accessPolicy => new GroupServiceAccountAccessPolicyResponseModel(accessPolicy),
ServiceAccountProjectAccessPolicy accessPolicy => new ServiceAccountProjectAccessPolicyResponseModel( ServiceAccountProjectAccessPolicy accessPolicy => new ServiceAccountProjectAccessPolicyResponseModel(
accessPolicy), accessPolicy),
_ => throw new ArgumentException("Unsupported access policy type provided."), _ => throw new ArgumentException("Unsupported access policy type provided."),
@ -163,4 +185,27 @@ public class AccessPoliciesController : Controller
throw new NotFoundException(); throw new NotFoundException();
} }
} }
private async Task CheckUserHasWriteAccessToServiceAccountAsync(ServiceAccount serviceAccount)
{
if (serviceAccount == null || !_currentContext.AccessSecretsManager(serviceAccount.OrganizationId))
{
throw new NotFoundException();
}
var userId = _userService.GetProperUserId(User).Value;
var orgAdmin = await _currentContext.OrganizationAdmin(serviceAccount.OrganizationId);
var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
var hasAccess = accessClient switch
{
AccessClientType.NoAccessCheck => true,
AccessClientType.User => await _serviceAccountRepository.UserHasWriteAccessToServiceAccount(serviceAccount.Id, userId),
_ => false,
};
if (!hasAccess)
{
throw new NotFoundException();
}
}
} }

69
src/Api/SecretsManager/Models/Request/AccessPoliciesCreateRequest.cs
View File

@ -13,7 +13,7 @@ public class AccessPoliciesCreateRequest
public IEnumerable<AccessPolicyRequest>? ServiceAccountAccessPolicyRequests { get; set; } public IEnumerable<AccessPolicyRequest>? ServiceAccountAccessPolicyRequests { get; set; }
public List<BaseAccessPolicy> ToBaseAccessPoliciesForProject(Guid projectId) public List<BaseAccessPolicy> ToBaseAccessPoliciesForProject(Guid grantedProjectId)
{ {
if (UserAccessPolicyRequests == null && GroupAccessPolicyRequests == null && ServiceAccountAccessPolicyRequests == null) if (UserAccessPolicyRequests == null && GroupAccessPolicyRequests == null && ServiceAccountAccessPolicyRequests == null)
{ {
@ -21,18 +21,55 @@ public class AccessPoliciesCreateRequest
} }
var userAccessPolicies = UserAccessPolicyRequests? var userAccessPolicies = UserAccessPolicyRequests?
.Select(x => x.ToUserProjectAccessPolicy(projectId)).ToList(); .Select(x => x.ToUserProjectAccessPolicy(grantedProjectId)).ToList();
var groupAccessPolicies = GroupAccessPolicyRequests? var groupAccessPolicies = GroupAccessPolicyRequests?
.Select(x => x.ToGroupProjectAccessPolicy(projectId)).ToList(); .Select(x => x.ToGroupProjectAccessPolicy(grantedProjectId)).ToList();
var serviceAccountAccessPolicies = ServiceAccountAccessPolicyRequests? var serviceAccountAccessPolicies = ServiceAccountAccessPolicyRequests?
.Select(x => x.ToServiceAccountProjectAccessPolicy(projectId)).ToList(); .Select(x => x.ToServiceAccountProjectAccessPolicy(grantedProjectId)).ToList();
var policies = new List<BaseAccessPolicy>(); var policies = new List<BaseAccessPolicy>();
if (userAccessPolicies != null) { policies.AddRange(userAccessPolicies); } if (userAccessPolicies != null)
if (groupAccessPolicies != null) { policies.AddRange(groupAccessPolicies); } {
if (serviceAccountAccessPolicies != null) { policies.AddRange(serviceAccountAccessPolicies); } policies.AddRange(userAccessPolicies);
}
if (groupAccessPolicies != null)
{
policies.AddRange(groupAccessPolicies);
}
if (serviceAccountAccessPolicies != null)
{
policies.AddRange(serviceAccountAccessPolicies);
}
return policies;
}
public List<BaseAccessPolicy> ToBaseAccessPoliciesForServiceAccount(Guid grantedServiceAccountId)
{
if (UserAccessPolicyRequests == null && GroupAccessPolicyRequests == null)
{
throw new BadRequestException("No creation requests provided.");
}
var userAccessPolicies = UserAccessPolicyRequests?
.Select(x => x.ToUserServiceAccountAccessPolicy(grantedServiceAccountId)).ToList();
var groupAccessPolicies = GroupAccessPolicyRequests?
.Select(x => x.ToGroupServiceAccountAccessPolicy(grantedServiceAccountId)).ToList();
var policies = new List<BaseAccessPolicy>();
if (userAccessPolicies != null)
{
policies.AddRange(userAccessPolicies);
}
if (groupAccessPolicies != null)
{
policies.AddRange(groupAccessPolicies);
}
return policies; return policies;
} }
} }
@ -74,4 +111,22 @@ public class AccessPolicyRequest
Read = Read, Read = Read,
Write = Write Write = Write
}; };
public UserServiceAccountAccessPolicy ToUserServiceAccountAccessPolicy(Guid id) =>
new()
{
OrganizationUserId = GranteeId,
GrantedServiceAccountId = id,
Read = Read,
Write = Write
};
public GroupServiceAccountAccessPolicy ToGroupServiceAccountAccessPolicy(Guid id) =>
new()
{
GroupId = GranteeId,
GrantedServiceAccountId = id,
Read = Read,
Write = Write
};
} }

2
src/Api/SecretsManager/Models/Response/ProjectAccessPoliciesResponseModel.cs
View File

@ -11,6 +11,7 @@ public class ProjectAccessPoliciesResponseModel : ResponseModel
: base(_objectName) : base(_objectName)
{ {
foreach (var baseAccessPolicy in baseAccessPolicies) foreach (var baseAccessPolicy in baseAccessPolicies)
{
switch (baseAccessPolicy) switch (baseAccessPolicy)
{ {
case UserProjectAccessPolicy accessPolicy: case UserProjectAccessPolicy accessPolicy:
@ -24,6 +25,7 @@ public class ProjectAccessPoliciesResponseModel : ResponseModel
new ServiceAccountProjectAccessPolicyResponseModel(accessPolicy)); new ServiceAccountProjectAccessPolicyResponseModel(accessPolicy));
break; break;
} }
}
} }
public ProjectAccessPoliciesResponseModel() : base(_objectName) public ProjectAccessPoliciesResponseModel() : base(_objectName)

39
src/Api/SecretsManager/Models/Response/ServiceAccountAccessPoliciesResponseModel.cs Normal file
View File

@ -0,0 +1,39 @@
using Bit.Core.Models.Api;
using Bit.Core.SecretsManager.Entities;
namespace Bit.Api.SecretsManager.Models.Response;
public class ServiceAccountAccessPoliciesResponseModel : ResponseModel
{
private const string _objectName = "serviceAccountAccessPolicies";
public ServiceAccountAccessPoliciesResponseModel(IEnumerable<BaseAccessPolicy> baseAccessPolicies)
: base(_objectName)
{
if (baseAccessPolicies == null)
{
return;
}
foreach (var baseAccessPolicy in baseAccessPolicies)
{
switch (baseAccessPolicy)
{
case UserServiceAccountAccessPolicy accessPolicy:
UserAccessPolicies.Add(new UserServiceAccountAccessPolicyResponseModel(accessPolicy));
break;
case GroupServiceAccountAccessPolicy accessPolicy:
GroupAccessPolicies.Add(new GroupServiceAccountAccessPolicyResponseModel(accessPolicy));
break;
}
}
}
public ServiceAccountAccessPoliciesResponseModel() : base(_objectName)
{
}
public List<UserServiceAccountAccessPolicyResponseModel> UserAccessPolicies { get; set; } = new();
public List<GroupServiceAccountAccessPolicyResponseModel> GroupAccessPolicies { get; set; } = new();
}

1
src/Core/SecretsManager/Commands/AccessPolicies/Interfaces/ICreateAccessPoliciesCommand.cs
View File

@ -5,4 +5,5 @@ namespace Bit.Core.SecretsManager.Commands.AccessPolicies.Interfaces;
public interface ICreateAccessPoliciesCommand public interface ICreateAccessPoliciesCommand
{ {
Task<IEnumerable<BaseAccessPolicy>> CreateForProjectAsync(Guid projectId, List<BaseAccessPolicy> accessPolicies, Guid userId); Task<IEnumerable<BaseAccessPolicy>> CreateForProjectAsync(Guid projectId, List<BaseAccessPolicy> accessPolicies, Guid userId);
Task<IEnumerable<BaseAccessPolicy>> CreateForServiceAccountAsync(Guid serviceAccountId, List<BaseAccessPolicy> accessPolicies, Guid userId);
} }

2
src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs
View File

@ -21,6 +21,8 @@ public class DatabaseContext : DbContext
public DbSet<UserProjectAccessPolicy> UserProjectAccessPolicy { get; set; } public DbSet<UserProjectAccessPolicy> UserProjectAccessPolicy { get; set; }
public DbSet<GroupProjectAccessPolicy> GroupProjectAccessPolicy { get; set; } public DbSet<GroupProjectAccessPolicy> GroupProjectAccessPolicy { get; set; }
public DbSet<ServiceAccountProjectAccessPolicy> ServiceAccountProjectAccessPolicy { get; set; } public DbSet<ServiceAccountProjectAccessPolicy> ServiceAccountProjectAccessPolicy { get; set; }
public DbSet<UserServiceAccountAccessPolicy> UserServiceAccountAccessPolicy { get; set; }
public DbSet<GroupServiceAccountAccessPolicy> GroupServiceAccountAccessPolicy { get; set; }
public DbSet<ApiKey> ApiKeys { get; set; } public DbSet<ApiKey> ApiKeys { get; set; }
public DbSet<Cipher> Ciphers { get; set; } public DbSet<Cipher> Ciphers { get; set; }
public DbSet<Collection> Collections { get; set; } public DbSet<Collection> Collections { get; set; }

229
test/Api.IntegrationTest/SecretsManager/Controllers/AccessPoliciesControllerTest.cs
View File

@ -534,6 +534,235 @@ public class AccessPoliciesControllerTest : IClassFixture<ApiApplicationFactory>
Assert.Equal(serviceAccount.Id.ToString(), result!.Data.First(x => x.Id == serviceAccount.Id.ToString()).Id); Assert.Equal(serviceAccount.Id.ToString(), result!.Data.First(x => x.Id == serviceAccount.Id.ToString()).Id);
} }
[Theory]
[InlineData(false, false)]
[InlineData(true, false)]
[InlineData(false, true)]
public async Task CreateServiceAccountAccessPolicies_SmNotEnabled_NotFound(bool useSecrets, bool accessSecrets)
{
var (org, orgUser) = await _organizationHelper.Initialize(useSecrets, accessSecrets);
await LoginAsync(_email);
var serviceAccount = await _serviceAccountRepository.CreateAsync(new ServiceAccount
{
OrganizationId = org.Id,
Name = _mockEncryptedString,
});
var request = new AccessPoliciesCreateRequest
{
UserAccessPolicyRequests = new List<AccessPolicyRequest>
{
new() { GranteeId = orgUser.Id, Read = true, Write = true },
},
};
var response =
await _client.PostAsJsonAsync($"/service-accounts/{serviceAccount.Id}/access-policies", request);
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
}
[Theory]
[InlineData(PermissionType.RunAsAdmin)]
[InlineData(PermissionType.RunAsUserWithPermission)]
public async Task CreateServiceAccountAccessPolicies(PermissionType permissionType)
{
var (org, orgUser) = await _organizationHelper.Initialize(true, true);
await LoginAsync(_email);
var ownerOrgUserId = orgUser.Id;
var serviceAccount = await _serviceAccountRepository.CreateAsync(new ServiceAccount
{
OrganizationId = org.Id,
Name = _mockEncryptedString,
});
var request = new AccessPoliciesCreateRequest
{
UserAccessPolicyRequests = new List<AccessPolicyRequest>
{
new() { GranteeId = orgUser.Id, Read = true, Write = true },
},
};
if (permissionType == PermissionType.RunAsUserWithPermission)
{
var (email, newOrgUser) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
await LoginAsync(email);
var accessPolicies = new List<BaseAccessPolicy>
{
new UserServiceAccountAccessPolicy
{
GrantedServiceAccountId = serviceAccount.Id,
OrganizationUserId = newOrgUser.Id,
Read = true,
Write = true,
},
};
await _accessPolicyRepository.CreateManyAsync(accessPolicies);
request = new AccessPoliciesCreateRequest
{
UserAccessPolicyRequests = new List<AccessPolicyRequest>
{
new() { GranteeId = ownerOrgUserId, Read = true, Write = true },
},
};
}
var response =
await _client.PostAsJsonAsync($"/service-accounts/{serviceAccount.Id}/access-policies", request);
response.EnsureSuccessStatusCode();
var result = await response.Content.ReadFromJsonAsync<ServiceAccountAccessPoliciesResponseModel>();
Assert.NotNull(result);
Assert.Equal(ownerOrgUserId,
result!.UserAccessPolicies.First(ap => ap.OrganizationUserId == ownerOrgUserId).OrganizationUserId);
Assert.True(result.UserAccessPolicies.First().Read);
Assert.True(result.UserAccessPolicies.First().Write);
AssertHelper.AssertRecent(result.UserAccessPolicies.First().RevisionDate);
AssertHelper.AssertRecent(result.UserAccessPolicies.First().CreationDate);
var createdAccessPolicy =
await _accessPolicyRepository.GetByIdAsync(result.UserAccessPolicies.First().Id);
Assert.NotNull(createdAccessPolicy);
Assert.Equal(result.UserAccessPolicies.First().Read, createdAccessPolicy!.Read);
Assert.Equal(result.UserAccessPolicies.First().Write, createdAccessPolicy.Write);
Assert.Equal(result.UserAccessPolicies.First().Id, createdAccessPolicy.Id);
AssertHelper.AssertRecent(createdAccessPolicy.CreationDate);
AssertHelper.AssertRecent(createdAccessPolicy.RevisionDate);
}
[Fact]
public async Task CreateServiceAccountAccessPolicies_NoPermission()
{
// Create a new account as a user
var (org, _) = await _organizationHelper.Initialize(true, true);
var (email, orgUser) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
await LoginAsync(email);
var serviceAccount = await _serviceAccountRepository.CreateAsync(new ServiceAccount
{
OrganizationId = org.Id,
Name = _mockEncryptedString,
});
var request = new AccessPoliciesCreateRequest
{
UserAccessPolicyRequests = new List<AccessPolicyRequest>
{
new() { GranteeId = orgUser.Id, Read = true, Write = true },
},
};
var response =
await _client.PostAsJsonAsync($"/service-accounts/{serviceAccount.Id}/access-policies", request);
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
}
[Theory]
[InlineData(false, false)]
[InlineData(true, false)]
[InlineData(false, true)]
public async Task GetServiceAccountAccessPolicies_SmNotEnabled_NotFound(bool useSecrets, bool accessSecrets)
{
var (org, _) = await _organizationHelper.Initialize(useSecrets, accessSecrets);
await LoginAsync(_email);
var initData = await SetupAccessPolicyRequest(org.Id);
var response = await _client.GetAsync($"/service-accounts/{initData.ServiceAccountId}/access-policies");
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
}
[Fact]
public async Task GetServiceAccountAccessPolicies_ReturnsEmpty()
{
var (org, _) = await _organizationHelper.Initialize(true, true);
await LoginAsync(_email);
var serviceAccount = await _serviceAccountRepository.CreateAsync(new ServiceAccount
{
OrganizationId = org.Id,
Name = _mockEncryptedString,
});
var response = await _client.GetAsync($"/service-accounts/{serviceAccount.Id}/access-policies");
response.EnsureSuccessStatusCode();
var result = await response.Content.ReadFromJsonAsync<ServiceAccountAccessPoliciesResponseModel>();
Assert.NotNull(result);
Assert.Empty(result!.UserAccessPolicies);
Assert.Empty(result!.GroupAccessPolicies);
}
[Fact]
public async Task GetServiceAccountAccessPolicies_NoPermission()
{
// Create a new account as a user
var (org, _) = await _organizationHelper.Initialize(true, true);
var (email, orgUser) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
await LoginAsync(email);
var initData = await SetupAccessPolicyRequest(orgUser.OrganizationId);
var response = await _client.GetAsync($"/service-accounts/{initData.ServiceAccountId}/access-policies");
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
}
[Theory]
[InlineData(PermissionType.RunAsAdmin)]
[InlineData(PermissionType.RunAsUserWithPermission)]
public async Task GetServiceAccountAccessPolicies(PermissionType permissionType)
{
var (org, owerOrgUser) = await _organizationHelper.Initialize(true, true);
await LoginAsync(_email);
var initData = await SetupAccessPolicyRequest(org.Id);
if (permissionType == PermissionType.RunAsUserWithPermission)
{
var (email, orgUser) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
await LoginAsync(email);
var accessPolicies = new List<BaseAccessPolicy>
{
new UserServiceAccountAccessPolicy
{
GrantedServiceAccountId = initData.ServiceAccountId,
OrganizationUserId = orgUser.Id,
Read = true,
Write = true,
},
};
await _accessPolicyRepository.CreateManyAsync(accessPolicies);
}
var policies = new List<BaseAccessPolicy>
{
new UserServiceAccountAccessPolicy
{
GrantedServiceAccountId = initData.ServiceAccountId,
OrganizationUserId = owerOrgUser.Id,
Read = true,
Write = true,
},
};
await _accessPolicyRepository.CreateManyAsync(policies);
var response = await _client.GetAsync($"/service-accounts/{initData.ServiceAccountId}/access-policies");
response.EnsureSuccessStatusCode();
var result = await response.Content.ReadFromJsonAsync<ServiceAccountAccessPoliciesResponseModel>();
Assert.NotNull(result?.UserAccessPolicies);
Assert.NotEmpty(result!.UserAccessPolicies);
Assert.Equal(owerOrgUser.Id,
result.UserAccessPolicies.First(x => x.OrganizationUserId == owerOrgUser.Id).OrganizationUserId);
}
private async Task<RequestSetupData> SetupAccessPolicyRequest(Guid organizationId) private async Task<RequestSetupData> SetupAccessPolicyRequest(Guid organizationId)
{ {
var project = await _projectRepository.CreateAsync(new Project var project = await _projectRepository.CreateAsync(new Project

267
test/Api.Test/SecretsManager/Controllers/AccessPoliciesControllerTests.cs
View File

@ -31,51 +31,63 @@ public class AccessPoliciesControllerTests
RunAsUserWithPermission, RunAsUserWithPermission,
} }
private static void SetupAdmin(SutProvider<AccessPoliciesController> sutProvider, Project data) private static void SetupAdmin(SutProvider<AccessPoliciesController> sutProvider, Guid organizationId)
{ {
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(default).ReturnsForAnyArgs(true); sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(default).ReturnsForAnyArgs(true);
sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(default).ReturnsForAnyArgs(data);
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid()); sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(data.OrganizationId).Returns(true); sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(organizationId).Returns(true);
} }
private static void SetupUserWithPermission(SutProvider<AccessPoliciesController> sutProvider, Project data) private static void SetupUserWithPermission(SutProvider<AccessPoliciesController> sutProvider, Guid organizationId)
{ {
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(default).ReturnsForAnyArgs(true); sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(default).ReturnsForAnyArgs(true);
sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(default).ReturnsForAnyArgs(data);
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid()); sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(data.OrganizationId).Returns(false); sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(organizationId).Returns(false);
sutProvider.GetDependency<ICurrentContext>().OrganizationUser(default).ReturnsForAnyArgs(true); sutProvider.GetDependency<ICurrentContext>().OrganizationUser(default).ReturnsForAnyArgs(true);
sutProvider.GetDependency<IProjectRepository>().UserHasWriteAccessToProject(default, default)
.ReturnsForAnyArgs(true);
} }
private static void SetupUserWithoutPermission(SutProvider<AccessPoliciesController> sutProvider, Project data) private static void SetupUserWithoutPermission(SutProvider<AccessPoliciesController> sutProvider,
Guid organizationId)
{ {
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(default).ReturnsForAnyArgs(true); sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(default).ReturnsForAnyArgs(true);
sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(default).ReturnsForAnyArgs(data);
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid()); sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(data.OrganizationId).Returns(false); sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(organizationId).Returns(false);
sutProvider.GetDependency<ICurrentContext>().OrganizationUser(default).ReturnsForAnyArgs(true); sutProvider.GetDependency<ICurrentContext>().OrganizationUser(default).ReturnsForAnyArgs(true);
sutProvider.GetDependency<IProjectRepository>().UserHasWriteAccessToProject(default, default) }
.ReturnsForAnyArgs(false);
private static void SetupPermission(SutProvider<AccessPoliciesController> sutProvider, PermissionType permissionType, Guid orgId)
{
switch (permissionType)
{
case PermissionType.RunAsAdmin:
SetupAdmin(sutProvider, orgId);
break;
case PermissionType.RunAsUserWithPermission:
SetupUserWithPermission(sutProvider, orgId);
break;
}
} }
[Theory] [Theory]
[BitAutoData(PermissionType.RunAsAdmin)] [BitAutoData(PermissionType.RunAsAdmin)]
[BitAutoData(PermissionType.RunAsUserWithPermission)] [BitAutoData(PermissionType.RunAsUserWithPermission)]
public async void GetAccessPoliciesByProject_ReturnsEmptyList( public async void GetProjectAccessPolicies_ReturnsEmptyList(
PermissionType permissionType, PermissionType permissionType,
SutProvider<AccessPoliciesController> sutProvider, SutProvider<AccessPoliciesController> sutProvider,
Guid id, Project data) Guid id, Project data)
{ {
sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(default).ReturnsForAnyArgs(data);
switch (permissionType) switch (permissionType)
{ {
case PermissionType.RunAsAdmin: case PermissionType.RunAsAdmin:
SetupAdmin(sutProvider, data); SetupAdmin(sutProvider, data.OrganizationId);
break; break;
case PermissionType.RunAsUserWithPermission: case PermissionType.RunAsUserWithPermission:
SetupUserWithPermission(sutProvider, data); SetupUserWithPermission(sutProvider, data.OrganizationId);
sutProvider.GetDependency<IProjectRepository>().UserHasWriteAccessToProject(default, default)
.ReturnsForAnyArgs(true);
break; break;
} }
@ -91,12 +103,15 @@ public class AccessPoliciesControllerTests
[Theory] [Theory]
[BitAutoData] [BitAutoData]
public async void GetAccessPoliciesByProject_UserWithoutPermission_Throws( public async void GetProjectAccessPolicies_UserWithoutPermission_Throws(
SutProvider<AccessPoliciesController> sutProvider, SutProvider<AccessPoliciesController> sutProvider,
Guid id, Guid id,
Project data) Project data)
{ {
SetupUserWithoutPermission(sutProvider, data); SetupUserWithoutPermission(sutProvider, data.OrganizationId);
sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(default).ReturnsForAnyArgs(data);
sutProvider.GetDependency<IProjectRepository>().UserHasWriteAccessToProject(default, default)
.ReturnsForAnyArgs(false);
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.GetProjectAccessPoliciesAsync(id)); await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.GetProjectAccessPoliciesAsync(id));
@ -107,20 +122,23 @@ public class AccessPoliciesControllerTests
[Theory] [Theory]
[BitAutoData(PermissionType.RunAsAdmin)] [BitAutoData(PermissionType.RunAsAdmin)]
[BitAutoData(PermissionType.RunAsUserWithPermission)] [BitAutoData(PermissionType.RunAsUserWithPermission)]
public async void GetAccessPoliciesByProject_Admin_Success( public async void GetProjectAccessPolicies_Success(
PermissionType permissionType, PermissionType permissionType,
SutProvider<AccessPoliciesController> sutProvider, SutProvider<AccessPoliciesController> sutProvider,
Guid id, Guid id,
Project data, Project data,
UserProjectAccessPolicy resultAccessPolicy) UserProjectAccessPolicy resultAccessPolicy)
{ {
sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(default).ReturnsForAnyArgs(data);
switch (permissionType) switch (permissionType)
{ {
case PermissionType.RunAsAdmin: case PermissionType.RunAsAdmin:
SetupAdmin(sutProvider, data); SetupAdmin(sutProvider, data.OrganizationId);
break; break;
case PermissionType.RunAsUserWithPermission: case PermissionType.RunAsUserWithPermission:
SetupUserWithPermission(sutProvider, data); SetupUserWithPermission(sutProvider, data.OrganizationId);
sutProvider.GetDependency<IProjectRepository>().UserHasWriteAccessToProject(default, default)
.ReturnsForAnyArgs(true);
break; break;
} }
@ -139,13 +157,17 @@ public class AccessPoliciesControllerTests
[Theory] [Theory]
[BitAutoData] [BitAutoData]
public async void GetAccessPoliciesByProject_ProjectsExist_UserWithoutPermission_Throws( public async void GetProjectAccessPolicies_ProjectsExist_UserWithoutPermission_Throws(
SutProvider<AccessPoliciesController> sutProvider, SutProvider<AccessPoliciesController> sutProvider,
Guid id, Guid id,
Project data, Project data,
UserProjectAccessPolicy resultAccessPolicy) UserProjectAccessPolicy resultAccessPolicy)
{ {
SetupUserWithoutPermission(sutProvider, data); SetupUserWithoutPermission(sutProvider, data.OrganizationId);
sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(default).ReturnsForAnyArgs(data);
sutProvider.GetDependency<IProjectRepository>().UserHasWriteAccessToProject(default, default)
.ReturnsForAnyArgs(false);
sutProvider.GetDependency<IAccessPolicyRepository>().GetManyByGrantedProjectIdAsync(default) sutProvider.GetDependency<IAccessPolicyRepository>().GetManyByGrantedProjectIdAsync(default)
.ReturnsForAnyArgs(new List<BaseAccessPolicy> { resultAccessPolicy }); .ReturnsForAnyArgs(new List<BaseAccessPolicy> { resultAccessPolicy });
@ -155,9 +177,117 @@ public class AccessPoliciesControllerTests
.GetManyByGrantedProjectIdAsync(Arg.Any<Guid>()); .GetManyByGrantedProjectIdAsync(Arg.Any<Guid>());
} }
[Theory]
[BitAutoData(PermissionType.RunAsAdmin)]
[BitAutoData(PermissionType.RunAsUserWithPermission)]
public async void GetServiceAccountAccessPolicies_ReturnsEmptyList(
PermissionType permissionType,
SutProvider<AccessPoliciesController> sutProvider,
Guid id, ServiceAccount data)
{
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(data.Id).ReturnsForAnyArgs(data);
switch (permissionType)
{
case PermissionType.RunAsAdmin:
SetupAdmin(sutProvider, data.OrganizationId);
break;
case PermissionType.RunAsUserWithPermission:
SetupUserWithPermission(sutProvider, data.OrganizationId);
sutProvider.GetDependency<IServiceAccountRepository>()
.UserHasWriteAccessToServiceAccount(default, default)
.ReturnsForAnyArgs(true);
break;
}
var result = await sutProvider.Sut.GetServiceAccountAccessPoliciesAsync(id);
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1)
.GetManyByGrantedServiceAccountIdAsync(Arg.Is(AssertHelper.AssertPropertyEqual(id)));
Assert.Empty(result.UserAccessPolicies);
Assert.Empty(result.GroupAccessPolicies);
}
[Theory] [Theory]
[BitAutoData] [BitAutoData]
public async void CreateAccessPolicies_Success( public async void GetServiceAccountAccessPolicies_UserWithoutPermission_Throws(
SutProvider<AccessPoliciesController> sutProvider,
Guid id,
ServiceAccount data)
{
SetupUserWithoutPermission(sutProvider, data.OrganizationId);
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(default).ReturnsForAnyArgs(data);
sutProvider.GetDependency<IServiceAccountRepository>().UserHasWriteAccessToServiceAccount(default, default)
.ReturnsForAnyArgs(false);
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.GetServiceAccountAccessPoliciesAsync(id));
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs()
.GetManyByGrantedServiceAccountIdAsync(Arg.Any<Guid>());
}
[Theory]
[BitAutoData(PermissionType.RunAsAdmin)]
[BitAutoData(PermissionType.RunAsUserWithPermission)]
public async void GetServiceAccountAccessPolicies_Success(
PermissionType permissionType,
SutProvider<AccessPoliciesController> sutProvider,
Guid id,
ServiceAccount data,
UserServiceAccountAccessPolicy resultAccessPolicy)
{
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(default).ReturnsForAnyArgs(data);
switch (permissionType)
{
case PermissionType.RunAsAdmin:
SetupAdmin(sutProvider, data.OrganizationId);
break;
case PermissionType.RunAsUserWithPermission:
SetupUserWithPermission(sutProvider, data.OrganizationId);
sutProvider.GetDependency<IServiceAccountRepository>()
.UserHasWriteAccessToServiceAccount(default, default)
.ReturnsForAnyArgs(true);
break;
}
sutProvider.GetDependency<IAccessPolicyRepository>().GetManyByGrantedServiceAccountIdAsync(default)
.ReturnsForAnyArgs(new List<BaseAccessPolicy> { resultAccessPolicy });
var result = await sutProvider.Sut.GetServiceAccountAccessPoliciesAsync(id);
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1)
.GetManyByGrantedServiceAccountIdAsync(Arg.Is(AssertHelper.AssertPropertyEqual(id)));
Assert.Empty(result.GroupAccessPolicies);
Assert.NotEmpty(result.UserAccessPolicies);
}
[Theory]
[BitAutoData]
public async void GetServiceAccountAccessPolicies_ServiceAccountExists_UserWithoutPermission_Throws(
SutProvider<AccessPoliciesController> sutProvider,
Guid id,
ServiceAccount data,
UserServiceAccountAccessPolicy resultAccessPolicy)
{
SetupUserWithoutPermission(sutProvider, data.OrganizationId);
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(default).ReturnsForAnyArgs(data);
sutProvider.GetDependency<IServiceAccountRepository>().UserHasWriteAccessToServiceAccount(default, default)
.ReturnsForAnyArgs(false);
sutProvider.GetDependency<IAccessPolicyRepository>().GetManyByGrantedServiceAccountIdAsync(default)
.ReturnsForAnyArgs(new List<BaseAccessPolicy> { resultAccessPolicy });
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.GetServiceAccountAccessPoliciesAsync(id));
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs()
.GetManyByGrantedServiceAccountIdAsync(Arg.Any<Guid>());
}
[Theory]
[BitAutoData]
public async void CreateProjectAccessPolicies_Success(
SutProvider<AccessPoliciesController> sutProvider, SutProvider<AccessPoliciesController> sutProvider,
Guid id, Guid id,
UserProjectAccessPolicy data, UserProjectAccessPolicy data,
@ -173,6 +303,25 @@ public class AccessPoliciesControllerTests
.CreateForProjectAsync(Arg.Any<Guid>(), Arg.Any<List<BaseAccessPolicy>>(), Arg.Any<Guid>()); .CreateForProjectAsync(Arg.Any<Guid>(), Arg.Any<List<BaseAccessPolicy>>(), Arg.Any<Guid>());
} }
[Theory]
[BitAutoData]
public async void CreateServiceAccountAccessPolicies_Success(
SutProvider<AccessPoliciesController> sutProvider,
Guid id,
UserServiceAccountAccessPolicy data,
AccessPoliciesCreateRequest request)
{
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
sutProvider.GetDependency<ICreateAccessPoliciesCommand>()
.CreateForServiceAccountAsync(default, default, default)
.ReturnsForAnyArgs(new List<BaseAccessPolicy> { data });
await sutProvider.Sut.CreateServiceAccountAccessPoliciesAsync(id, request);
await sutProvider.GetDependency<ICreateAccessPoliciesCommand>().Received(1)
.CreateForServiceAccountAsync(Arg.Any<Guid>(), Arg.Any<List<BaseAccessPolicy>>(), Arg.Any<Guid>());
}
[Theory] [Theory]
[BitAutoData] [BitAutoData]
public async void UpdateAccessPolicies_Success( public async void UpdateAccessPolicies_Success(
@ -207,25 +356,12 @@ public class AccessPoliciesControllerTests
[Theory] [Theory]
[BitAutoData(PermissionType.RunAsAdmin)] [BitAutoData(PermissionType.RunAsAdmin)]
[BitAutoData(PermissionType.RunAsUserWithPermission)] [BitAutoData(PermissionType.RunAsUserWithPermission)]
public async void GetPeoplePotentialGranteesAsync_ReturnsEmptyList( public async void GetPeoplePotentialGrantees_ReturnsEmptyList(
PermissionType permissionType, PermissionType permissionType,
SutProvider<AccessPoliciesController> sutProvider, SutProvider<AccessPoliciesController> sutProvider,
Guid id) Guid id)
{ {
switch (permissionType) SetupPermission(sutProvider, permissionType, id);
{
case PermissionType.RunAsAdmin:
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(id).Returns(true);
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(default).ReturnsForAnyArgs(true);
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
break;
case PermissionType.RunAsUserWithPermission:
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(id).Returns(false);
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(default).ReturnsForAnyArgs(true);
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
break;
}
var result = await sutProvider.Sut.GetPeoplePotentialGranteesAsync(id); var result = await sutProvider.Sut.GetPeoplePotentialGranteesAsync(id);
await sutProvider.GetDependency<IGroupRepository>().Received(1) await sutProvider.GetDependency<IGroupRepository>().Received(1)
@ -239,7 +375,7 @@ public class AccessPoliciesControllerTests
[Theory] [Theory]
[BitAutoData] [BitAutoData]
public async void GetPeoplePotentialGranteesAsync_UserWithoutPermission_Throws( public async void GetPeoplePotentialGrantees_UserWithoutPermission_Throws(
SutProvider<AccessPoliciesController> sutProvider, SutProvider<AccessPoliciesController> sutProvider,
Guid id) Guid id)
{ {
@ -262,26 +398,13 @@ public class AccessPoliciesControllerTests
[Theory] [Theory]
[BitAutoData(PermissionType.RunAsAdmin)] [BitAutoData(PermissionType.RunAsAdmin)]
[BitAutoData(PermissionType.RunAsUserWithPermission)] [BitAutoData(PermissionType.RunAsUserWithPermission)]
public async void GetPeoplePotentialGranteesAsync_Success( public async void GetPeoplePotentialGrantees_Success(
PermissionType permissionType, PermissionType permissionType,
SutProvider<AccessPoliciesController> sutProvider, SutProvider<AccessPoliciesController> sutProvider,
Guid id, Guid id,
Group mockGroup) Group mockGroup)
{ {
switch (permissionType) SetupPermission(sutProvider, permissionType, id);
{
case PermissionType.RunAsAdmin:
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(id).Returns(true);
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(default).ReturnsForAnyArgs(true);
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
break;
case PermissionType.RunAsUserWithPermission:
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(id).Returns(false);
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(default).ReturnsForAnyArgs(true);
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
break;
}
sutProvider.GetDependency<IGroupRepository>().GetManyByOrganizationIdAsync(default) sutProvider.GetDependency<IGroupRepository>().GetManyByOrganizationIdAsync(default)
.ReturnsForAnyArgs(new List<Group> { mockGroup }); .ReturnsForAnyArgs(new List<Group> { mockGroup });
@ -299,25 +422,12 @@ public class AccessPoliciesControllerTests
[Theory] [Theory]
[BitAutoData(PermissionType.RunAsAdmin)] [BitAutoData(PermissionType.RunAsAdmin)]
[BitAutoData(PermissionType.RunAsUserWithPermission)] [BitAutoData(PermissionType.RunAsUserWithPermission)]
public async void GetServiceAccountsPotentialGranteesAsync_ReturnsEmptyList( public async void GetServiceAccountsPotentialGrantees_ReturnsEmptyList(
PermissionType permissionType, PermissionType permissionType,
SutProvider<AccessPoliciesController> sutProvider, SutProvider<AccessPoliciesController> sutProvider,
Guid id) Guid id)
{ {
switch (permissionType) SetupPermission(sutProvider, permissionType, id);
{
case PermissionType.RunAsAdmin:
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(id).Returns(true);
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(default).ReturnsForAnyArgs(true);
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
break;
case PermissionType.RunAsUserWithPermission:
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(id).Returns(false);
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(default).ReturnsForAnyArgs(true);
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
break;
}
var result = await sutProvider.Sut.GetServiceAccountsPotentialGranteesAsync(id); var result = await sutProvider.Sut.GetServiceAccountsPotentialGranteesAsync(id);
await sutProvider.GetDependency<IServiceAccountRepository>().Received(1) await sutProvider.GetDependency<IServiceAccountRepository>().Received(1)
@ -353,22 +463,9 @@ public class AccessPoliciesControllerTests
Guid id, Guid id,
ServiceAccount mockServiceAccount) ServiceAccount mockServiceAccount)
{ {
switch (permissionType) SetupPermission(sutProvider, permissionType, id);
{
case PermissionType.RunAsAdmin:
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(id).Returns(true);
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(default).ReturnsForAnyArgs(true);
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
break;
case PermissionType.RunAsUserWithPermission:
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(id).Returns(false);
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(default).ReturnsForAnyArgs(true);
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
break;
}
sutProvider.GetDependency<IServiceAccountRepository>().GetManyByOrganizationIdWriteAccessAsync(default, default, default) sutProvider.GetDependency<IServiceAccountRepository>().GetManyByOrganizationIdWriteAccessAsync(default, default, default)
.ReturnsForAnyArgs(new List<ServiceAccount> { mockServiceAccount }); .ReturnsForAnyArgs(new List<ServiceAccount> { mockServiceAccount });
var result = await sutProvider.Sut.GetServiceAccountsPotentialGranteesAsync(id); var result = await sutProvider.Sut.GetServiceAccountsPotentialGranteesAsync(id);