[AC-2887] Added Billing Authorization Where Missing (#4525)

* Added missing authorization validation to OrganizationBillingController endpoints * Moved authorization validation to top of each method * Resolved broken unit tests and added some new ones
2025-06-30 07:36:14 -05:00 · 2024-07-17 16:15:28 -04:00
parent 88d5a97a86
commit 45ec57f81b
3 changed files with 85 additions and 6 deletions
--- a/test/Api.Test/Billing/Controllers/OrganizationBillingControllerTests.cs
+++ b/test/Api.Test/Billing/Controllers/OrganizationBillingControllerTests.cs
@ -1,7 +1,11 @@
 using Bit.Api.Billing.Controllers;
 using Bit.Api.Billing.Models.Responses;
+using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Billing.Models;
 using Bit.Core.Billing.Services;
+using Bit.Core.Context;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Microsoft.AspNetCore.Http.HttpResults;
@ -14,11 +18,26 @@ namespace Bit.Api.Test.Billing.Controllers;
 [SutProviderCustomize]
 public class OrganizationBillingControllerTests
 {
+    [Theory, BitAutoData]
+    public async Task GetMetadataAsync_Unauthorized_ReturnsUnauthorized(
+        Guid organizationId,
+        SutProvider<OrganizationBillingController> sutProvider)
+    {
+        sutProvider.GetDependency<ICurrentContext>().ViewBillingHistory(organizationId).Returns(false);
+
+        var result = await sutProvider.Sut.GetMetadataAsync(organizationId);
+
+        Assert.IsType<UnauthorizedHttpResult>(result);
+    }
+
    [Theory, BitAutoData]
    public async Task GetMetadataAsync_MetadataNull_NotFound(
        Guid organizationId,
        SutProvider<OrganizationBillingController> sutProvider)
    {
+        sutProvider.GetDependency<ICurrentContext>().ViewBillingHistory(organizationId).Returns(true);
+        sutProvider.GetDependency<IOrganizationBillingService>().GetMetadata(organizationId).Returns((OrganizationMetadataDTO)null);
+
        var result = await sutProvider.Sut.GetMetadataAsync(organizationId);

        Assert.IsType<NotFound>(result);
@ -29,6 +48,7 @@ public class OrganizationBillingControllerTests
        Guid organizationId,
        SutProvider<OrganizationBillingController> sutProvider)
    {
+        sutProvider.GetDependency<ICurrentContext>().ViewBillingHistory(organizationId).Returns(true);
        sutProvider.GetDependency<IOrganizationBillingService>().GetMetadata(organizationId)
            .Returns(new OrganizationMetadataDTO(true));

@ -40,4 +60,53 @@ public class OrganizationBillingControllerTests

        Assert.True(organizationMetadataResponse.IsOnSecretsManagerStandalone);
    }
+
+    [Theory, BitAutoData]
+    public async Task GetHistoryAsync_Unauthorized_ReturnsUnauthorized(
+        Guid organizationId,
+        SutProvider<OrganizationBillingController> sutProvider)
+    {
+        sutProvider.GetDependency<ICurrentContext>().ViewBillingHistory(organizationId).Returns(false);
+
+        var result = await sutProvider.Sut.GetHistoryAsync(organizationId);
+
+        Assert.IsType<UnauthorizedHttpResult>(result);
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetHistoryAsync_OrganizationNotFound_ReturnsNotFound(
+        Guid organizationId,
+        SutProvider<OrganizationBillingController> sutProvider)
+    {
+        sutProvider.GetDependency<ICurrentContext>().ViewBillingHistory(organizationId).Returns(true);
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organizationId).Returns((Organization)null);
+
+        var result = await sutProvider.Sut.GetHistoryAsync(organizationId);
+
+        Assert.IsType<NotFound>(result);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetHistoryAsync_OK(
+        Guid organizationId,
+        Organization organization,
+        SutProvider<OrganizationBillingController> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<ICurrentContext>().ViewBillingHistory(organizationId).Returns(true);
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organizationId).Returns(organization);
+
+        // Manually create a BillingHistoryInfo object to avoid requiring AutoFixture to create HttpResponseHeaders
+        var billingInfo = new BillingHistoryInfo();
+
+        sutProvider.GetDependency<IPaymentService>().GetBillingHistoryAsync(organization).Returns(billingInfo);
+
+        // Act
+        var result = await sutProvider.Sut.GetHistoryAsync(organizationId);
+
+        // Assert
+        var okResult = Assert.IsType<Ok<BillingHistoryInfo>>(result);
+        Assert.Equal(billingInfo, okResult.Value);
+    }
 }