mirror of
https://github.com/bitwarden/server.git
synced 2025-07-02 08:32:50 -05:00
[PM-3779] idor allow the attacker to delete the victim domain (#3308)
* [PM-3779] Added IOrganizationDomainRepository.GetDomainByIdAndOrganizationIdAsync and SQL stored procedure * [PM-3779] Changed GetOrganizationDomainByIdQuery to also take OrgId as a parameter. Updated existing unit tests and added new. Updated controller to match command changes * [PM-3779] Removed type from url routes * [PM-3779] Renamed IGetOrganizationDomainByIdAndOrganizationIdQuery to IGetOrganizationDomainByIdOrganizationIdQuery * [PM-3779] Renamed GetOrganizationDomainByIdOrganizationIdQueryTests file and added more tests
This commit is contained in:
Rui Tomé
@ -1,13 +1,11 @@
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.OrganizationFeatures.OrganizationDomains;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.Services;
|
||||
using Bit.Test.Common.AutoFixture;
|
||||
using Bit.Test.Common.AutoFixture.Attributes;
|
||||
using NSubstitute;
|
||||
using NSubstitute.ReturnsExtensions;
|
||||
using Xunit;
|
||||
|
||||
namespace Bit.Core.Test.OrganizationFeatures.OrganizationDomains;
|
||||
@ -15,17 +13,6 @@ namespace Bit.Core.Test.OrganizationFeatures.OrganizationDomains;
|
||||
[SutProviderCustomize]
|
||||
public class DeleteOrganizationDomainCommandTests
|
||||
{
|
||||
[Theory, BitAutoData]
|
||||
public async Task DeleteAsync_ShouldThrowNotFoundException_WhenIdDoesNotExist(Guid id,
|
||||
SutProvider<DeleteOrganizationDomainCommand> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<IOrganizationDomainRepository>().GetByIdAsync(id).ReturnsNull();
|
||||
|
||||
var requestAction = async () => await sutProvider.Sut.DeleteAsync(id);
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(requestAction);
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
public async Task DeleteAsync_Success(Guid id, SutProvider<DeleteOrganizationDomainCommand> sutProvider)
|
||||
{
|
||||
@ -36,9 +23,8 @@ public class DeleteOrganizationDomainCommandTests
|
||||
DomainName = "Test Domain",
|
||||
Txt = "btw+test18383838383"
|
||||
};
|
||||
sutProvider.GetDependency<IOrganizationDomainRepository>().GetByIdAsync(id).Returns(expected);
|
||||
|
||||
await sutProvider.Sut.DeleteAsync(id);
|
||||
await sutProvider.Sut.DeleteAsync(expected);
|
||||
|
||||
await sutProvider.GetDependency<IOrganizationDomainRepository>().Received(1).DeleteAsync(expected);
|
||||
await sutProvider.GetDependency<IEventService>().Received(1)
|
||||
|
||||
@ -0,0 +1,80 @@
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.OrganizationFeatures.OrganizationDomains;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Test.Common.AutoFixture;
|
||||
using Bit.Test.Common.AutoFixture.Attributes;
|
||||
using NSubstitute;
|
||||
using Xunit;
|
||||
|
||||
namespace Bit.Core.Test.OrganizationFeatures.OrganizationDomains;
|
||||
|
||||
[SutProviderCustomize]
|
||||
public class GetOrganizationDomainByIdOrganizationIdQueryTests
|
||||
{
|
||||
[Theory, BitAutoData]
|
||||
public async Task GetOrganizationDomainByIdAndOrganizationIdAsync_WithExistingParameters_ReturnsExpectedEntity(
|
||||
OrganizationDomain organizationDomain, SutProvider<GetOrganizationDomainByIdOrganizationIdQuery> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<IOrganizationDomainRepository>()
|
||||
.GetDomainByIdOrganizationIdAsync(organizationDomain.Id, organizationDomain.OrganizationId)
|
||||
.Returns(organizationDomain);
|
||||
|
||||
var result = await sutProvider.Sut.GetOrganizationDomainByIdOrganizationIdAsync(organizationDomain.Id, organizationDomain.OrganizationId);
|
||||
|
||||
await sutProvider.GetDependency<IOrganizationDomainRepository>().Received(1)
|
||||
.GetDomainByIdOrganizationIdAsync(organizationDomain.Id, organizationDomain.OrganizationId);
|
||||
|
||||
Assert.Equal(organizationDomain, result);
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
public async Task GetOrganizationDomainByIdAndOrganizationIdAsync_WithNonExistingParameters_ReturnsNull(
|
||||
Guid id, Guid organizationId, OrganizationDomain organizationDomain,
|
||||
SutProvider<GetOrganizationDomainByIdOrganizationIdQuery> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<IOrganizationDomainRepository>()
|
||||
.GetDomainByIdOrganizationIdAsync(organizationDomain.Id, organizationDomain.OrganizationId)
|
||||
.Returns(organizationDomain);
|
||||
|
||||
var result = await sutProvider.Sut.GetOrganizationDomainByIdOrganizationIdAsync(id, organizationId);
|
||||
|
||||
await sutProvider.GetDependency<IOrganizationDomainRepository>().Received(1)
|
||||
.GetDomainByIdOrganizationIdAsync(id, organizationId);
|
||||
|
||||
Assert.Null(result);
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
public async Task GetOrganizationDomainByIdAndOrganizationIdAsync_WithNonExistingId_ReturnsNull(
|
||||
Guid id, OrganizationDomain organizationDomain,
|
||||
SutProvider<GetOrganizationDomainByIdOrganizationIdQuery> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<IOrganizationDomainRepository>()
|
||||
.GetDomainByIdOrganizationIdAsync(organizationDomain.Id, organizationDomain.OrganizationId)
|
||||
.Returns(organizationDomain);
|
||||
|
||||
var result = await sutProvider.Sut.GetOrganizationDomainByIdOrganizationIdAsync(id, organizationDomain.OrganizationId);
|
||||
|
||||
await sutProvider.GetDependency<IOrganizationDomainRepository>().Received(1)
|
||||
.GetDomainByIdOrganizationIdAsync(id, organizationDomain.OrganizationId);
|
||||
|
||||
Assert.Null(result);
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
public async Task GetOrganizationDomainByIdAndOrganizationIdAsync_WithNonExistingOrgId_ReturnsNull(
|
||||
Guid organizationId, OrganizationDomain organizationDomain,
|
||||
SutProvider<GetOrganizationDomainByIdOrganizationIdQuery> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<IOrganizationDomainRepository>()
|
||||
.GetDomainByIdOrganizationIdAsync(organizationDomain.Id, organizationDomain.OrganizationId)
|
||||
.Returns(organizationDomain);
|
||||
|
||||
var result = await sutProvider.Sut.GetOrganizationDomainByIdOrganizationIdAsync(organizationDomain.Id, organizationId);
|
||||
|
||||
await sutProvider.GetDependency<IOrganizationDomainRepository>().Received(1)
|
||||
.GetDomainByIdOrganizationIdAsync(organizationDomain.Id, organizationId);
|
||||
|
||||
Assert.Null(result);
|
||||
}
|
||||
}
|
||||
@ -1,22 +0,0 @@
|
||||
using Bit.Core.OrganizationFeatures.OrganizationDomains;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Test.Common.AutoFixture;
|
||||
using Bit.Test.Common.AutoFixture.Attributes;
|
||||
using NSubstitute;
|
||||
using Xunit;
|
||||
|
||||
namespace Bit.Core.Test.OrganizationFeatures.OrganizationDomains;
|
||||
|
||||
[SutProviderCustomize]
|
||||
public class GetOrganizationDomainByIdQueryTests
|
||||
{
|
||||
[Theory, BitAutoData]
|
||||
public async Task GetOrganizationDomainById_CallsGetByIdAsync(Guid id,
|
||||
SutProvider<GetOrganizationDomainByIdQuery> sutProvider)
|
||||
{
|
||||
await sutProvider.Sut.GetOrganizationDomainById(id);
|
||||
|
||||
await sutProvider.GetDependency<IOrganizationDomainRepository>().Received(1)
|
||||
.GetByIdAsync(id);
|
||||
}
|
||||
}
|
||||
@ -14,7 +14,7 @@ public class GetOrganizationDomainByOrganizationIdQueryTests
|
||||
public async Task GetDomainsByOrganizationId_CallsGetDomainsByOrganizationIdAsync(Guid orgId,
|
||||
SutProvider<GetOrganizationDomainByOrganizationIdQuery> sutProvider)
|
||||
{
|
||||
await sutProvider.Sut.GetDomainsByOrganizationId(orgId);
|
||||
await sutProvider.Sut.GetDomainsByOrganizationIdAsync(orgId);
|
||||
|
||||
await sutProvider.GetDependency<IOrganizationDomainRepository>().Received(1)
|
||||
.GetDomainsByOrganizationIdAsync(orgId);
|
||||
|
||||
@ -7,8 +7,6 @@ using Bit.Core.Services;
|
||||
using Bit.Test.Common.AutoFixture;
|
||||
using Bit.Test.Common.AutoFixture.Attributes;
|
||||
using NSubstitute;
|
||||
using NSubstitute.ReceivedExtensions;
|
||||
using NSubstitute.ReturnsExtensions;
|
||||
using Xunit;
|
||||
|
||||
namespace Bit.Core.Test.OrganizationFeatures.OrganizationDomains;
|
||||
@ -16,19 +14,6 @@ namespace Bit.Core.Test.OrganizationFeatures.OrganizationDomains;
|
||||
[SutProviderCustomize]
|
||||
public class VerifyOrganizationDomainCommandTests
|
||||
{
|
||||
[Theory, BitAutoData]
|
||||
public async Task VerifyOrganizationDomain_ShouldThrowNotFound_WhenDomainDoesNotExist(Guid id,
|
||||
SutProvider<VerifyOrganizationDomainCommand> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<IOrganizationDomainRepository>()
|
||||
.GetByIdAsync(id)
|
||||
.ReturnsNull();
|
||||
|
||||
var requestAction = async () => await sutProvider.Sut.VerifyOrganizationDomain(id);
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(requestAction);
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
public async Task VerifyOrganizationDomain_ShouldThrowConflict_WhenDomainHasBeenClaimed(Guid id,
|
||||
SutProvider<VerifyOrganizationDomainCommand> sutProvider)
|
||||
@ -45,7 +30,7 @@ public class VerifyOrganizationDomainCommandTests
|
||||
.GetByIdAsync(id)
|
||||
.Returns(expected);
|
||||
|
||||
var requestAction = async () => await sutProvider.Sut.VerifyOrganizationDomain(id);
|
||||
var requestAction = async () => await sutProvider.Sut.VerifyOrganizationDomainAsync(expected);
|
||||
|
||||
var exception = await Assert.ThrowsAsync<ConflictException>(requestAction);
|
||||
Assert.Contains("Domain has already been verified.", exception.Message);
|
||||
@ -69,7 +54,7 @@ public class VerifyOrganizationDomainCommandTests
|
||||
.GetClaimedDomainsByDomainNameAsync(expected.DomainName)
|
||||
.Returns(new List<OrganizationDomain> { expected });
|
||||
|
||||
var requestAction = async () => await sutProvider.Sut.VerifyOrganizationDomain(id);
|
||||
var requestAction = async () => await sutProvider.Sut.VerifyOrganizationDomainAsync(expected);
|
||||
|
||||
var exception = await Assert.ThrowsAsync<ConflictException>(requestAction);
|
||||
Assert.Contains("The domain is not available to be claimed.", exception.Message);
|
||||
@ -96,7 +81,7 @@ public class VerifyOrganizationDomainCommandTests
|
||||
.ResolveAsync(expected.DomainName, Arg.Any<string>())
|
||||
.Returns(true);
|
||||
|
||||
var result = await sutProvider.Sut.VerifyOrganizationDomain(id);
|
||||
var result = await sutProvider.Sut.VerifyOrganizationDomainAsync(expected);
|
||||
|
||||
Assert.NotNull(result.VerifiedDate);
|
||||
await sutProvider.GetDependency<IOrganizationDomainRepository>().Received(1)
|
||||
@ -126,7 +111,7 @@ public class VerifyOrganizationDomainCommandTests
|
||||
.ResolveAsync(expected.DomainName, Arg.Any<string>())
|
||||
.Returns(false);
|
||||
|
||||
var result = await sutProvider.Sut.VerifyOrganizationDomain(id);
|
||||
var result = await sutProvider.Sut.VerifyOrganizationDomainAsync(expected);
|
||||
|
||||
Assert.Null(result.VerifiedDate);
|
||||
await sutProvider.GetDependency<IEventService>().Received(1)
|
||||
|
||||
Reference in New Issue
Block a user