SM-695: Block Create & Update for Admins on Secrets Outside of the Org (#2844)

* SM-695: Block create or update for admins on secrets outside of the org * SM-695: Update test, org is required on project * SM-695: Update tests to set matching org id in project * SM-695: Ensure there is no more than 1 project connected to a secret, plus remove org admin check in the CreateSecretCommand. * SM-695: Add integration tests for create and update secrets security fixes * SM-695: Update Create and Update secret tests, a secret can only be in one project at a time
2025-06-30 15:42:48 -05:00 · 2023-04-14 09:48:11 -04:00
parent f5a8cf5c9c
commit 2529c5b36f
9 changed files with 147 additions and 1 deletions
--- a/test/Api.IntegrationTest/SecretsManager/Controllers/SecretsControllerTests.cs
+++ b/test/Api.IntegrationTest/SecretsManager/Controllers/SecretsControllerTests.cs
@ -148,7 +148,7 @@ public class SecretsControllerTests : IClassFixture<ApiApplicationFactory>, IAsy
        var (org, _) = await _organizationHelper.Initialize(true, true);
        await LoginAsync(_email);

-        var project = await _projectRepository.CreateAsync(new Project { Name = "123" });
+        var project = await _projectRepository.CreateAsync(new Project { OrganizationId = org.Id, Name = "123" });

        var request = new SecretCreateRequestModel
        {
@ -179,6 +179,47 @@ public class SecretsControllerTests : IClassFixture<ApiApplicationFactory>, IAsy
        Assert.Null(createdSecret.DeletedDate);
    }

+    [Fact]
+    public async Task CreateWithDifferentProjectOrgId_RunAsAdmin_NotFound()
+    {
+        var (org, _) = await _organizationHelper.Initialize(true, true);
+        await LoginAsync(_email);
+
+        var project = await _projectRepository.CreateAsync(new Project { Name = "123" });
+
+        var request = new SecretCreateRequestModel
+        {
+            ProjectIds = new Guid[] { project.Id },
+            Key = _mockEncryptedString,
+            Value = _mockEncryptedString,
+            Note = _mockEncryptedString,
+        };
+
+        var response = await _client.PostAsJsonAsync($"/organizations/{org.Id}/secrets", request);
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task CreateWithMultipleProjects_RunAsAdmin_BadRequest()
+    {
+        var (org, _) = await _organizationHelper.Initialize(true, true);
+        await LoginAsync(_email);
+
+        var projectA = await _projectRepository.CreateAsync(new Project { OrganizationId = org.Id, Name = "123A" });
+        var projectB = await _projectRepository.CreateAsync(new Project { OrganizationId = org.Id, Name = "123B" });
+
+        var request = new SecretCreateRequestModel
+        {
+            ProjectIds = new Guid[] { projectA.Id, projectB.Id },
+            Key = _mockEncryptedString,
+            Value = _mockEncryptedString,
+            Note = _mockEncryptedString,
+        };
+
+        var response = await _client.PostAsJsonAsync($"/organizations/{org.Id}/secrets", request);
+        Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
+    }
+
    [Fact]
    public async Task CreateWithoutProject_RunAsUser_NotFound()
    {
@ -531,6 +572,63 @@ public class SecretsControllerTests : IClassFixture<ApiApplicationFactory>, IAsy
        Assert.NotEqual(secret.RevisionDate, updatedSecret.RevisionDate);
    }

+    [Fact]
+    public async Task UpdateWithDifferentProjectOrgId_RunAsAdmin_NotFound()
+    {
+        var (org, _) = await _organizationHelper.Initialize(true, true);
+        await LoginAsync(_email);
+
+        var project = await _projectRepository.CreateAsync(new Project { Name = "123" });
+
+        var secret = await _secretRepository.CreateAsync(new Secret
+        {
+            OrganizationId = org.Id,
+            Key = _mockEncryptedString,
+            Value = _mockEncryptedString,
+            Note = _mockEncryptedString
+        });
+
+        var request = new SecretUpdateRequestModel
+        {
+            Key = _mockEncryptedString,
+            Value = "2.3Uk+WNBIoU5xzmVFNcoWzz==|1MsPIYuRfdOHfu/0uY6H2Q==|/98xy4wb6pHP1VTZ9JcNCYgQjEUMFPlqJgCwRk1YXKg=",
+            Note = _mockEncryptedString,
+            ProjectIds = new Guid[] { project.Id },
+        };
+
+        var response = await _client.PutAsJsonAsync($"/secrets/{secret.Id}", request);
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task UpdateWithMultipleProjects_BadRequest()
+    {
+        var (org, _) = await _organizationHelper.Initialize(true, true);
+        await LoginAsync(_email);
+
+        var projectA = await _projectRepository.CreateAsync(new Project { OrganizationId = org.Id, Name = "123A" });
+        var projectB = await _projectRepository.CreateAsync(new Project { OrganizationId = org.Id, Name = "123B" });
+
+        var secret = await _secretRepository.CreateAsync(new Secret
+        {
+            OrganizationId = org.Id,
+            Key = _mockEncryptedString,
+            Value = _mockEncryptedString,
+            Note = _mockEncryptedString
+        });
+
+        var request = new SecretUpdateRequestModel
+        {
+            Key = _mockEncryptedString,
+            Value = "2.3Uk+WNBIoU5xzmVFNcoWzz==|1MsPIYuRfdOHfu/0uY6H2Q==|/98xy4wb6pHP1VTZ9JcNCYgQjEUMFPlqJgCwRk1YXKg=",
+            Note = _mockEncryptedString,
+            ProjectIds = new Guid[] { projectA.Id, projectB.Id },
+        };
+
+        var response = await _client.PutAsJsonAsync($"/secrets/{secret.Id}", request);
+        Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
+    }
+
    [Theory]
    [InlineData(false, false)]
    [InlineData(true, false)]