[PM-22101] Enforce restrictions on collections with DefaultUserCollection type (#5968)

* Add CreateCollectionCommand and associated interface with validation logic * Implement CreateCollectionCommand to handle collection creation with organization checks and access permissions. * Introduce ICreateCollectionCommand interface for defining the collection creation contract. * Add unit tests for CreateCollectionCommand to validate various scenarios including permission checks and error handling. * Add UpdateCollectionCommand and associated interface with validation logic * Implement UpdateCollectionCommand to handle collection updates with organization checks and access permissions. * Introduce IUpdateCollectionCommand interface for defining the collection update contract. * Add unit tests for UpdateCollectionCommand to validate various scenarios including permission checks and error handling. * Add scoped services for collection commands * Register ICreateCollectionCommand and IUpdateCollectionCommand in the service collection for handling collection creation and updates. * Refactor CollectionsController to use command interfaces for collection creation and updates * Updated CollectionsController to utilize ICreateCollectionCommand and IUpdateCollectionCommand for handling collection creation and updates, replacing calls to ICollectionService. * Adjusted related unit tests to verify the new command implementations. * Refactor ICollectionService and CollectionService to remove SaveAsync method * Removed the SaveAsync method from ICollectionService and its implementation in CollectionService. * Updated related tests in CollectionServiceTests to reflect the removal of SaveAsync, ensuring existing functionality remains intact. * Remove unused organization repository dependency from CollectionServiceTests * Add validation to CreateCollectionCommand to prevent creation of DefaultUserCollection type * Implemented a check in CreateCollectionCommand to throw a BadRequestException if a collection of type DefaultUserCollection is attempted to be created. * Added a unit test to verify that the exception is thrown with the correct message when attempting to create a collection of this type. * Add validation to DeleteCollectionCommand to prevent deletion of DefaultUserCollection type * Implemented checks in DeleteAsync and DeleteManyAsync methods to throw a BadRequestException if a collection of type DefaultUserCollection is attempted to be deleted. * Added unit tests to verify that the exceptions are thrown with the correct messages when attempting to delete collections of this type. * Add validation in UpdateCollectionCommand to prevent editing DefaultUserCollection type * Implemented a check in UpdateAsync to throw a BadRequestException if a collection of type DefaultUserCollection is attempted to be updated. * Added a unit test to verify that the exception is thrown with the correct message when attempting to update a collection of this type. * Add validation in UpdateOrganizationUserCommand to prevent modification of DefaultUserCollection type * Implemented a check to throw a BadRequestException if an attempt is made to modify member access for collections of type DefaultUserCollection. * Added a unit test to ensure the exception is thrown with the correct message when this condition is met. * Add validation in UpdateGroupCommand to prevent modification of DefaultUserCollection type * Implemented a check to throw a BadRequestException if an attempt is made to modify group access for collections of type DefaultUserCollection. * Added a unit test to ensure the exception is thrown with the correct message when this condition is met. * Add validation in BulkAddCollectionAccessCommand to prevent addition of collections of DefaultUserCollection type * Implemented a check to throw a BadRequestException if an attempt is made to add access to collections of type DefaultUserCollection. * Added a unit test to ensure the exception is thrown with the correct message when this condition is met. * Add validation in CollectionService to prevent modification of DefaultUserCollection type * Implemented a check in DeleteUserAsync to throw a BadRequestException if an attempt is made to modify member access for collections of type DefaultUserCollection. * Added a unit test to ensure the exception is thrown with the correct message when this condition is met. * Implement a check to throw a BadRequestException if an attempt is made to modify member access for collections of type DefaultUserCollection. * Add validation in CollectionsController to prevent deletion of DefaultUserCollection type * Implemented a check to return a BadRequestObjectResult if an attempt is made to delete a collection of type DefaultUserCollection. * Remove unused test method for handling DefaultUserCollection in CollectionsControllerTests * Update UpdateOrganizationUserCommandTests to use OrganizationUserType for user updates
2025-06-30 07:36:14 -05:00 · 2025-06-27 15:29:34 +01:00
parent 57cd628de8
commit 290fa3ded4
15 changed files with 233 additions and 4 deletions
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/Groups/UpdateGroupCommandTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/Groups/UpdateGroupCommandTests.cs
@ -156,6 +156,24 @@ public class UpdateGroupCommandTests
            () => sutProvider.Sut.UpdateGroupAsync(group, organization, collectionAccess));
    }

+    [Theory, OrganizationCustomize(UseGroups = true), BitAutoData]
+    public async Task UpdateGroup_WithDefaultUserCollectionType_Throws(SutProvider<UpdateGroupCommand> sutProvider,
+        Group group, Group oldGroup, Organization organization, List<CollectionAccessSelection> collectionAccess)
+    {
+        ArrangeGroup(sutProvider, group, oldGroup);
+        ArrangeUsers(sutProvider, group);
+
+        // Return collections with DefaultUserCollection type
+        sutProvider.GetDependency<ICollectionRepository>()
+            .GetManyByManyIdsAsync(Arg.Any<IEnumerable<Guid>>())
+            .Returns(callInfo => callInfo.Arg<IEnumerable<Guid>>()
+                .Select(guid => new Collection { Id = guid, OrganizationId = group.OrganizationId, Type = CollectionType.DefaultUserCollection }).ToList());
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.UpdateGroupAsync(group, organization, collectionAccess));
+        Assert.Contains("You cannot modify group access for collections with the type as DefaultUserCollection.", exception.Message);
+    }
+
    [Theory, OrganizationCustomize(UseGroups = true), BitAutoData]
    public async Task UpdateGroup_MemberBelongsToDifferentOrganization_Throws(SutProvider<UpdateGroupCommand> sutProvider,
        Group group, Group oldGroup, Organization organization, IEnumerable<Guid> userAccess)
--- a/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/UpdateOrganizationUserCommandTests.cs
+++ b/test/Core.Test/AdminConsole/OrganizationFeatures/OrganizationUsers/UpdateOrganizationUserCommandTests.cs
@ -244,6 +244,24 @@ public class UpdateOrganizationUserCommandTests
        Assert.Contains("User can only be an admin of one free organization.", exception.Message);
    }

+    [Theory, BitAutoData]
+    public async Task UpdateUserAsync_WithDefaultUserCollectionType_Throws(OrganizationUser user, OrganizationUser originalUser,
+        List<CollectionAccessSelection> collectionAccess, Guid? savingUserId, SutProvider<UpdateOrganizationUserCommand> sutProvider,
+        Organization organization)
+    {
+        Setup(sutProvider, organization, user, originalUser);
+
+        // Return collections with DefaultUserCollection type
+        sutProvider.GetDependency<ICollectionRepository>()
+            .GetManyByManyIdsAsync(Arg.Any<IEnumerable<Guid>>())
+            .Returns(callInfo => callInfo.Arg<IEnumerable<Guid>>()
+                .Select(guid => new Collection { Id = guid, OrganizationId = user.OrganizationId, Type = CollectionType.DefaultUserCollection }).ToList());
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.UpdateUserAsync(user, OrganizationUserType.User, savingUserId, collectionAccess, null));
+        Assert.Contains("You cannot modify member access for collections with the type as DefaultUserCollection.", exception.Message);
+    }
+
    private void Setup(SutProvider<UpdateOrganizationUserCommand> sutProvider, Organization organization,
        OrganizationUser newUser, OrganizationUser oldUser)
    {
--- a/test/Core.Test/OrganizationFeatures/OrganizationCollections/BulkAddCollectionAccessCommandTests.cs
+++ b/test/Core.Test/OrganizationFeatures/OrganizationCollections/BulkAddCollectionAccessCommandTests.cs
@ -27,6 +27,8 @@ public class BulkAddCollectionAccessCommandTests
        IEnumerable<CollectionUser> collectionUsers,
        IEnumerable<CollectionGroup> collectionGroups)
    {
+        SetCollectionsToSharedType(collections);
+
        sutProvider.GetDependency<IOrganizationUserRepository>()
            .GetManyAsync(
                Arg.Is<IEnumerable<Guid>>(ids => ids.SequenceEqual(collectionUsers.Select(u => u.OrganizationUserId)))
@ -107,6 +109,8 @@ public class BulkAddCollectionAccessCommandTests
        IEnumerable<CollectionUser> collectionUsers,
        IEnumerable<CollectionGroup> collectionGroups)
    {
+        SetCollectionsToSharedType(collections);
+
        collections.First().OrganizationId = Guid.NewGuid();

        var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.AddAccessAsync(collections,
@ -127,6 +131,8 @@ public class BulkAddCollectionAccessCommandTests
        IEnumerable<CollectionUser> collectionUsers,
        IEnumerable<CollectionGroup> collectionGroups)
    {
+        SetCollectionsToSharedType(collections);
+
        organizationUsers.RemoveAt(0);

        sutProvider.GetDependency<IOrganizationUserRepository>()
@ -155,6 +161,8 @@ public class BulkAddCollectionAccessCommandTests
        IEnumerable<CollectionUser> collectionUsers,
        IEnumerable<CollectionGroup> collectionGroups)
    {
+        SetCollectionsToSharedType(collections);
+
        organizationUsers.First().OrganizationId = Guid.NewGuid();

        sutProvider.GetDependency<IOrganizationUserRepository>()
@ -184,6 +192,8 @@ public class BulkAddCollectionAccessCommandTests
        IEnumerable<CollectionUser> collectionUsers,
        IEnumerable<CollectionGroup> collectionGroups)
    {
+        SetCollectionsToSharedType(collections);
+
        groups.RemoveAt(0);

        sutProvider.GetDependency<IOrganizationUserRepository>()
@ -221,6 +231,8 @@ public class BulkAddCollectionAccessCommandTests
        IEnumerable<CollectionUser> collectionUsers,
        IEnumerable<CollectionGroup> collectionGroups)
    {
+        SetCollectionsToSharedType(collections);
+
        groups.First().OrganizationId = Guid.NewGuid();

        sutProvider.GetDependency<IOrganizationUserRepository>()
@ -250,6 +262,37 @@ public class BulkAddCollectionAccessCommandTests
        );
    }

+    [Theory, BitAutoData, CollectionCustomization]
+    public async Task AddAccessAsync_WithDefaultUserCollectionType_ThrowsBadRequest(SutProvider<BulkAddCollectionAccessCommand> sutProvider,
+        IList<Collection> collections,
+        IEnumerable<CollectionUser> collectionUsers,
+        IEnumerable<CollectionGroup> collectionGroups)
+    {
+        // Arrange
+        collections.First().Type = CollectionType.DefaultUserCollection;
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.AddAccessAsync(collections,
+            ToAccessSelection(collectionUsers),
+            ToAccessSelection(collectionGroups)
+        ));
+
+        Assert.Contains("You cannot add access to collections with the type as DefaultUserCollection.", exception.Message);
+
+        await sutProvider.GetDependency<ICollectionRepository>().DidNotReceiveWithAnyArgs().CreateOrUpdateAccessForManyAsync(default, default, default, default);
+        await sutProvider.GetDependency<IEventService>().DidNotReceiveWithAnyArgs().LogCollectionEventsAsync(default);
+        await sutProvider.GetDependency<IOrganizationUserRepository>().DidNotReceiveWithAnyArgs().GetManyAsync(default);
+        await sutProvider.GetDependency<IGroupRepository>().DidNotReceiveWithAnyArgs().GetManyByManyIds(default);
+    }
+
+    private static void SetCollectionsToSharedType(IEnumerable<Collection> collections)
+    {
+        foreach (var collection in collections)
+        {
+            collection.Type = CollectionType.SharedCollection;
+        }
+    }
+
    private static ICollection<CollectionAccessSelection> ToAccessSelection(IEnumerable<CollectionUser> collectionUsers)
    {
        return collectionUsers.Select(cu => new CollectionAccessSelection
--- a/test/Core.Test/OrganizationFeatures/OrganizationCollections/CreateCollectionCommandTests.cs
+++ b/test/Core.Test/OrganizationFeatures/OrganizationCollections/CreateCollectionCommandTests.cs
@ -199,4 +199,27 @@ public class CreateCollectionCommandTests
            .DidNotReceiveWithAnyArgs()
            .LogCollectionEventAsync(default, default);
    }
+
+    [Theory, BitAutoData]
+    public async Task CreateAsync_WithDefaultUserCollectionType_ThrowsBadRequest(
+        Organization organization, Collection collection, SutProvider<CreateCollectionCommand> sutProvider)
+    {
+        collection.Id = default;
+        collection.Type = CollectionType.DefaultUserCollection;
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        var ex = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.CreateAsync(collection));
+        Assert.Contains("You cannot create a collection with the type as DefaultUserCollection.", ex.Message);
+        await sutProvider.GetDependency<ICollectionRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .CreateAsync(default);
+        await sutProvider.GetDependency<ICollectionRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .CreateAsync(default, default, default);
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogCollectionEventAsync(default, default);
+    }
 }
--- a/test/Core.Test/OrganizationFeatures/OrganizationCollections/DeleteCollectionCommandTests.cs
+++ b/test/Core.Test/OrganizationFeatures/OrganizationCollections/DeleteCollectionCommandTests.cs
@ -1,6 +1,6 @@
-
-using Bit.Core.Entities;
+using Bit.Core.Entities;
 using Bit.Core.Enums;
+using Bit.Core.Exceptions;
 using Bit.Core.OrganizationFeatures.OrganizationCollections;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@ -34,6 +34,7 @@ public class DeleteCollectionCommandTests
    {
        // Arrange
        var collectionIds = new[] { collection.Id, collection2.Id };
+        collection.Type = collection2.Type = CollectionType.SharedCollection;

        sutProvider.GetDependency<ICollectionRepository>()
            .GetManyByManyIdsAsync(collectionIds)
@ -51,5 +52,42 @@ public class DeleteCollectionCommandTests
            a.All(c => collectionIds.Contains(c.Item1.Id) && c.Item2 == EventType.Collection_Deleted)));
    }

+    [Theory, BitAutoData]
+    [OrganizationCustomize]
+    public async Task DeleteAsync_WithDefaultUserCollectionType_ThrowsBadRequest(Collection collection, SutProvider<DeleteCollectionCommand> sutProvider)
+    {
+        // Arrange
+        collection.Type = CollectionType.DefaultUserCollection;
+
+        // Act & Assert
+        var ex = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.DeleteAsync(collection));
+        Assert.Contains("You cannot delete a collection with the type as DefaultUserCollection.", ex.Message);
+        await sutProvider.GetDependency<ICollectionRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .DeleteAsync(default);
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogCollectionEventAsync(default, default, default);
+    }
+
+    [Theory, BitAutoData]
+    [OrganizationCustomize]
+    public async Task DeleteManyAsync_WithDefaultUserCollectionType_ThrowsBadRequest(Collection collection, Collection collection2, SutProvider<DeleteCollectionCommand> sutProvider)
+    {
+        // Arrange
+        collection.Type = CollectionType.DefaultUserCollection;
+        collection2.Type = CollectionType.SharedCollection;
+        var collections = new List<Collection> { collection, collection2 };
+
+        // Act & Assert
+        var ex = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.DeleteManyAsync(collections));
+        Assert.Contains("You cannot delete collections with the type as DefaultUserCollection.", ex.Message);
+        await sutProvider.GetDependency<ICollectionRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .DeleteManyAsync(default);
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogCollectionEventsAsync(default);
+    }

 }
--- a/test/Core.Test/OrganizationFeatures/OrganizationCollections/UpdateCollectionCommandTests.cs
+++ b/test/Core.Test/OrganizationFeatures/OrganizationCollections/UpdateCollectionCommandTests.cs
@ -166,4 +166,26 @@ public class UpdateCollectionCommandTests
            .DidNotReceiveWithAnyArgs()
            .LogCollectionEventAsync(default, default);
    }
+
+    [Theory, BitAutoData]
+    public async Task UpdateAsync_WithDefaultUserCollectionType_ThrowsBadRequest(
+        Organization organization, Collection collection, SutProvider<UpdateCollectionCommand> sutProvider)
+    {
+        collection.Type = CollectionType.DefaultUserCollection;
+        sutProvider.GetDependency<IOrganizationRepository>()
+            .GetByIdAsync(organization.Id)
+            .Returns(organization);
+
+        var ex = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.UpdateAsync(collection));
+        Assert.Contains("You cannot edit a collection with the type as DefaultUserCollection.", ex.Message);
+        await sutProvider.GetDependency<ICollectionRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .ReplaceAsync(default);
+        await sutProvider.GetDependency<ICollectionRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .ReplaceAsync(default, default, default);
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogCollectionEventAsync(default, default);
+    }
 }
--- a/test/Core.Test/Services/CollectionServiceTests.cs
+++ b/test/Core.Test/Services/CollectionServiceTests.cs
@ -49,4 +49,22 @@ public class CollectionServiceTest
        await sutProvider.GetDependency<IEventService>().DidNotReceiveWithAnyArgs()
            .LogOrganizationUserEventAsync<OrganizationUser>(default, default);
    }
+
+    [Theory, BitAutoData]
+    public async Task DeleteUserAsync_WithDefaultUserCollectionType_ThrowsBadRequest(Collection collection,
+        Organization organization, OrganizationUser organizationUser, SutProvider<CollectionService> sutProvider)
+    {
+        collection.Type = CollectionType.DefaultUserCollection;
+        collection.OrganizationId = organization.Id;
+        organizationUser.OrganizationId = organization.Id;
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() =>
+            sutProvider.Sut.DeleteUserAsync(collection, organizationUser.Id));
+        Assert.Contains("You cannot modify member access for collections with the type as DefaultUserCollection.", exception.Message);
+
+        await sutProvider.GetDependency<IOrganizationUserRepository>().DidNotReceiveWithAnyArgs().GetByIdAsync(default);
+        await sutProvider.GetDependency<ICollectionRepository>().DidNotReceiveWithAnyArgs().DeleteUserAsync(default, default);
+        await sutProvider.GetDependency<IEventService>().DidNotReceiveWithAnyArgs()
+            .LogOrganizationUserEventAsync<OrganizationUser>(default, default);
+    }
 }