SM-695: Block Create & Update for Admins on Secrets Outside of the Org (#2844)

* SM-695: Block create or update for admins on secrets outside of the org * SM-695: Update test, org is required on project * SM-695: Update tests to set matching org id in project * SM-695: Ensure there is no more than 1 project connected to a secret, plus remove org admin check in the CreateSecretCommand. * SM-695: Add integration tests for create and update secrets security fixes * SM-695: Update Create and Update secret tests, a secret can only be in one project at a time
2025-07-01 08:02:49 -05:00 · 2023-04-14 09:48:11 -04:00
parent f5a8cf5c9c
commit 2529c5b36f
9 changed files with 147 additions and 1 deletions
--- a/src/Api/SecretsManager/Controllers/SecretsController.cs
+++ b/src/Api/SecretsManager/Controllers/SecretsController.cs
@ -80,6 +80,11 @@ public class SecretsController : Controller
            throw new NotFoundException();
        }

+        if (createRequest.ProjectIds != null && createRequest.ProjectIds.Length > 1)
+        {
+            throw new BadRequestException();
+        }
+
        var userId = _userService.GetProperUserId(User).Value;
        var result = await _createSecretCommand.CreateAsync(createRequest.ToSecret(organizationId), userId);

@ -140,6 +145,11 @@ public class SecretsController : Controller
    [HttpPut("secrets/{id}")]
    public async Task<SecretResponseModel> UpdateSecretAsync([FromRoute] Guid id, [FromBody] SecretUpdateRequestModel updateRequest)
    {
+        if (updateRequest.ProjectIds != null && updateRequest.ProjectIds.Length > 1)
+        {
+            throw new BadRequestException();
+        }
+
        var userId = _userService.GetProperUserId(User).Value;
        var secret = updateRequest.ToSecret(id);
        var result = await _updateSecretCommand.UpdateAsync(secret, userId);