[SM-390] Project Access Policies (#2507)

The purpose of this PR is to create server endpoints for creating, reading, updating, and deleting access policies for projects.
2025-06-30 15:42:48 -05:00 · 2023-01-19 17:31:19 -06:00
parent ae647bbf44
commit 53ba2eeb18
24 changed files with 1133 additions and 63 deletions
--- a/test/Api.IntegrationTest/Controllers/AccessPoliciesControllerTest.cs
+++ b/test/Api.IntegrationTest/Controllers/AccessPoliciesControllerTest.cs
@ -0,0 +1,185 @@
+using System.Net.Http.Headers;
+using Bit.Api.IntegrationTest.Factories;
+using Bit.Api.IntegrationTest.Helpers;
+using Bit.Api.SecretManagerFeatures.Models.Request;
+using Bit.Api.SecretManagerFeatures.Models.Response;
+using Bit.Core.Entities;
+using Bit.Core.Repositories;
+using Bit.Test.Common.Helpers;
+using Xunit;
+
+namespace Bit.Api.IntegrationTest.Controllers;
+
+public class AccessPoliciesControllerTest : IClassFixture<ApiApplicationFactory>, IAsyncLifetime
+{
+    private readonly IAccessPolicyRepository _accessPolicyRepository;
+
+    private readonly HttpClient _client;
+    private readonly ApiApplicationFactory _factory;
+
+    private const string _mockEncryptedString = "2.3Uk+WNBIoU5xzmVFNcoWzz==|1MsPIYuRfdOHfu/0uY6H2Q==|/98sp4wb6pHP1VTZ9JcNCYgQjEUMFPlqJgCwRk1YXKg=";
+
+    private readonly IProjectRepository _projectRepository;
+    private readonly IServiceAccountRepository _serviceAccountRepository;
+    private Organization _organization = null!;
+
+    public AccessPoliciesControllerTest(ApiApplicationFactory factory)
+    {
+        _factory = factory;
+        _client = _factory.CreateClient();
+        _accessPolicyRepository = _factory.GetService<IAccessPolicyRepository>();
+        _serviceAccountRepository = _factory.GetService<IServiceAccountRepository>();
+        _projectRepository = _factory.GetService<IProjectRepository>();
+    }
+
+    public async Task InitializeAsync()
+    {
+        var ownerEmail = $"integration-test{Guid.NewGuid()}@bitwarden.com";
+        var tokens = await _factory.LoginWithNewAccount(ownerEmail);
+        var (organization, _) =
+            await OrganizationTestHelpers.SignUpAsync(_factory, ownerEmail: ownerEmail, billingEmail: ownerEmail);
+        _client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokens.Token);
+        _organization = organization;
+    }
+
+    public Task DisposeAsync() => Task.CompletedTask;
+
+    [Fact]
+    public async Task CreateProjectAccessPolicies()
+    {
+        var initialProject = await _projectRepository.CreateAsync(new Project
+        {
+            OrganizationId = _organization.Id,
+            Name = _mockEncryptedString
+        });
+
+        var initialServiceAccount = await _serviceAccountRepository.CreateAsync(new ServiceAccount
+        {
+            OrganizationId = _organization.Id,
+            Name = _mockEncryptedString
+        });
+
+        var request = new AccessPoliciesCreateRequest
+        {
+            ServiceAccountAccessPolicyRequests = new List<AccessPolicyRequest>
+            {
+                new() { GranteeId = initialServiceAccount.Id, Read = true, Write = true }
+            }
+        };
+
+        var response = await _client.PostAsJsonAsync($"/projects/{initialProject.Id}/access-policies", request);
+        response.EnsureSuccessStatusCode();
+
+        var result = await response.Content.ReadFromJsonAsync<ProjectAccessPoliciesResponseModel>();
+
+        Assert.NotNull(result);
+        Assert.Equal(initialServiceAccount.Id, result!.ServiceAccountAccessPolicies.First().ServiceAccountId);
+        Assert.True(result.ServiceAccountAccessPolicies.First().Read);
+        Assert.True(result.ServiceAccountAccessPolicies.First().Write);
+        AssertHelper.AssertRecent(result.ServiceAccountAccessPolicies.First().RevisionDate);
+        AssertHelper.AssertRecent(result.ServiceAccountAccessPolicies.First().CreationDate);
+
+        var createdAccessPolicy =
+            await _accessPolicyRepository.GetByIdAsync(result.ServiceAccountAccessPolicies.First().Id);
+        Assert.NotNull(createdAccessPolicy);
+        Assert.Equal(result.ServiceAccountAccessPolicies.First().Read, createdAccessPolicy!.Read);
+        Assert.Equal(result.ServiceAccountAccessPolicies.First().Write, createdAccessPolicy.Write);
+        Assert.Equal(result.ServiceAccountAccessPolicies.First().Id, createdAccessPolicy.Id);
+        AssertHelper.AssertRecent(createdAccessPolicy.CreationDate);
+        AssertHelper.AssertRecent(createdAccessPolicy.RevisionDate);
+    }
+
+    [Fact]
+    public async Task UpdateAccessPolicy()
+    {
+        var initData = await SetupAccessPolicyRequest();
+
+        const bool expectedRead = true;
+        const bool expectedWrite = false;
+        var request = new AccessPolicyUpdateRequest { Read = expectedRead, Write = expectedWrite };
+
+        var response = await _client.PutAsJsonAsync($"/access-policies/{initData.InitialAccessPolicyId}", request);
+        response.EnsureSuccessStatusCode();
+
+        var result = await response.Content.ReadFromJsonAsync<ServiceAccountProjectAccessPolicyResponseModel>();
+
+        Assert.NotNull(result);
+        Assert.Equal(expectedRead, result!.Read);
+        Assert.Equal(expectedWrite, result.Write);
+        AssertHelper.AssertRecent(result.RevisionDate);
+
+        var updatedAccessPolicy = await _accessPolicyRepository.GetByIdAsync(result.Id);
+        Assert.NotNull(updatedAccessPolicy);
+        Assert.Equal(expectedRead, updatedAccessPolicy!.Read);
+        Assert.Equal(expectedWrite, updatedAccessPolicy.Write);
+        AssertHelper.AssertRecent(updatedAccessPolicy.RevisionDate);
+    }
+
+
+    [Fact]
+    public async Task DeleteAccessPolicy()
+    {
+        var initData = await SetupAccessPolicyRequest();
+
+        var response = await _client.DeleteAsync($"/access-policies/{initData.InitialAccessPolicyId}");
+        response.EnsureSuccessStatusCode();
+
+        var test = await _accessPolicyRepository.GetByIdAsync(initData.InitialAccessPolicyId);
+        Assert.Null(test);
+    }
+
+    [Fact]
+    public async Task GetProjectAccessPolicies()
+    {
+        var initData = await SetupAccessPolicyRequest();
+
+        var response = await _client.GetAsync($"/projects/{initData.InitialProjectId}/access-policies");
+        response.EnsureSuccessStatusCode();
+
+        var result = await response.Content.ReadFromJsonAsync<ProjectAccessPoliciesResponseModel>();
+
+        Assert.NotNull(result?.ServiceAccountAccessPolicies);
+        Assert.Single(result!.ServiceAccountAccessPolicies);
+    }
+
+    private async Task<RequestSetupData> SetupAccessPolicyRequest()
+    {
+        var initialProject = await _projectRepository.CreateAsync(new Project
+        {
+            OrganizationId = _organization.Id,
+            Name = _mockEncryptedString,
+        });
+
+        var initialServiceAccount = await _serviceAccountRepository.CreateAsync(new ServiceAccount
+        {
+            OrganizationId = _organization.Id,
+            Name = _mockEncryptedString,
+        });
+
+        var initialAccessPolicy = await _accessPolicyRepository.CreateManyAsync(
+            new List<BaseAccessPolicy>
+            {
+                new ServiceAccountProjectAccessPolicy
+                {
+                    Read = true,
+                    Write = true,
+                    ServiceAccountId = initialServiceAccount.Id,
+                    GrantedProjectId = initialProject.Id,
+                }
+            });
+
+        return new RequestSetupData
+        {
+            InitialProjectId = initialProject.Id,
+            InitialServiceAccountId = initialServiceAccount.Id,
+            InitialAccessPolicyId = initialAccessPolicy.First().Id,
+        };
+    }
+
+    private class RequestSetupData
+    {
+        public Guid InitialProjectId { get; set; }
+        public Guid InitialAccessPolicyId { get; set; }
+        public Guid InitialServiceAccountId { get; set; }
+    }
+}
--- a/test/Api.Test/Controllers/AccessPoliciesControllerTests.cs
+++ b/test/Api.Test/Controllers/AccessPoliciesControllerTests.cs
@ -0,0 +1,87 @@
+using Bit.Api.Controllers;
+using Bit.Api.SecretManagerFeatures.Models.Request;
+using Bit.Core.Entities;
+using Bit.Core.Repositories;
+using Bit.Core.SecretManagerFeatures.AccessPolicies.Interfaces;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Bit.Test.Common.Helpers;
+using NSubstitute;
+using NSubstitute.ReturnsExtensions;
+using Xunit;
+
+namespace Bit.Api.Test.Controllers;
+
+[ControllerCustomize(typeof(AccessPoliciesController))]
+[SutProviderCustomize]
+[JsonDocumentCustomize]
+public class AccessPoliciesControllerTests
+{
+    [Theory]
+    [BitAutoData]
+    public async void GetAccessPoliciesByProject_ReturnsEmptyList(SutProvider<AccessPoliciesController> sutProvider,
+        Guid id)
+    {
+        var result = await sutProvider.Sut.GetProjectAccessPoliciesAsync(id);
+
+        await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1)
+            .GetManyByProjectId(Arg.Is(AssertHelper.AssertPropertyEqual(id)));
+
+        Assert.Empty(result.GroupAccessPolicies);
+        Assert.Empty(result.UserAccessPolicies);
+        Assert.Empty(result.ServiceAccountAccessPolicies);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async void GetAccessPoliciesByProject_Success(SutProvider<AccessPoliciesController> sutProvider, Guid id,
+        UserProjectAccessPolicy resultAccessPolicy)
+    {
+        sutProvider.GetDependency<IAccessPolicyRepository>().GetManyByProjectId(default)
+            .ReturnsForAnyArgs(new List<BaseAccessPolicy> { resultAccessPolicy });
+
+        var result = await sutProvider.Sut.GetProjectAccessPoliciesAsync(id);
+
+        await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1)
+            .GetManyByProjectId(Arg.Is(AssertHelper.AssertPropertyEqual(id)));
+
+        Assert.Empty(result.GroupAccessPolicies);
+        Assert.NotEmpty(result.UserAccessPolicies);
+        Assert.Empty(result.ServiceAccountAccessPolicies);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async void CreateAccessPolicies_Success(SutProvider<AccessPoliciesController> sutProvider, Guid id,
+        UserProjectAccessPolicy data, AccessPoliciesCreateRequest request)
+    {
+        sutProvider.GetDependency<ICreateAccessPoliciesCommand>().CreateAsync(default)
+            .ReturnsForAnyArgs(new List<BaseAccessPolicy> { data });
+        var result = await sutProvider.Sut.CreateProjectAccessPoliciesAsync(id, request);
+        await sutProvider.GetDependency<ICreateAccessPoliciesCommand>().Received(1)
+            .CreateAsync(Arg.Any<List<BaseAccessPolicy>>());
+    }
+
+
+    [Theory]
+    [BitAutoData]
+    public async void UpdateAccessPolicies_Success(SutProvider<AccessPoliciesController> sutProvider, Guid id,
+        UserProjectAccessPolicy data, AccessPolicyUpdateRequest request)
+    {
+        sutProvider.GetDependency<IUpdateAccessPolicyCommand>().UpdateAsync(default, default, default)
+            .ReturnsForAnyArgs(data);
+        var result = await sutProvider.Sut.UpdateAccessPolicyAsync(id, request);
+        await sutProvider.GetDependency<IUpdateAccessPolicyCommand>().Received(1)
+            .UpdateAsync(Arg.Any<Guid>(), Arg.Is(request.Read), Arg.Is(request.Write));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async void DeleteAccessPolicies_Success(SutProvider<AccessPoliciesController> sutProvider, Guid id)
+    {
+        sutProvider.GetDependency<IDeleteAccessPolicyCommand>().DeleteAsync(default).ReturnsNull();
+        await sutProvider.Sut.DeleteAccessPolicyAsync(id);
+        await sutProvider.GetDependency<IDeleteAccessPolicyCommand>().Received(1)
+            .DeleteAsync(Arg.Any<Guid>());
+    }
+}