[AC-1174] CollectionUser and CollectionGroup authorization handlers (#3194)

* [AC-1174] Introduce BulkAuthorizationHandler.cs * [AC-1174] Introduce CollectionUserAuthorizationHandler * [AC-1174] Add CreateForNewCollection CollectionUser requirement * [AC-1174] Add some more details to CollectionCustomization * [AC-1174] Formatting * [AC-1174] Add CollectionGroupOperation.cs * [AC-1174] Introduce CollectionGroupAuthorizationHandler.cs * [AC-1174] Cleanup CollectionFixture customization Implement and use re-usable extension method to support seeded Guids * [AC-1174] Introduce WithValueFromList AutoFixtureExtensions Modify CollectionCustomization to use multiple organization Ids for auto generated test data * [AC-1174] Simplify CollectionUserAuthorizationHandler.cs Modify the authorization handler to only perform authorization logic. Validation logic will need to be handled by any calling commands/controllers instead. * [AC-1174] Introduce shared CollectionAccessAuthorizationHandlerBase A shared base authorization handler was created for both CollectionUser and CollectionGroup resources, as they share the same underlying management authorization logic. * [AC-1174] Update CollectionUserAuthorizationHandler and CollectionGroupAuthorizationHandler to use the new CollectionAccessAuthorizationHandlerBase class * [AC-1174] Formatting * [AC-1174] Cleanup typo and redundant ToList() call * [AC-1174] Add check for provider users * [AC-1174] Reduce nested loops * [AC-1174] Introduce ICollectionAccess.cs * [AC-1174] Remove individual CollectionGroup and CollectionUser auth handlers and use base class instead * [AC-1174] Tweak unit test to fail minimally * [AC-1174] Reorganize authorization handlers in Core project * [AC-1174] Introduce new AddCoreAuthorizationHandlers() extension method * [AC-1174] Move CollectionAccessAuthorizationHandler into Api project * [AC-1174] Move CollectionFixture to Vault folder * [AC-1174] Rename operation to CreateUpdateDelete * [AC-1174] Require single organization for collection access authorization handler - Add requirement that all target collections must belong to the same organization - Simplify logic related to multiple organizations - Update tests and helpers - Use ToHashSet to improve lookup time * [AC-1174] Fix null reference exception * [AC-1174] Throw bad request exception when collections belong to different organizations * [AC-1174] Switch to CollectionAuthorizationHandler instead of CollectionAccessAuthorizationHandler to reduce complexity
2025-07-01 08:02:49 -05:00 · 2023-08-30 14:13:58 -07:00
parent e87c20c7a1
commit 5dc3ca85c3
9 changed files with 497 additions and 1 deletions
--- a/test/Api.Test/Vault/AuthorizationHandlers/CollectionAuthorizationHandlerTests.cs
+++ b/test/Api.Test/Vault/AuthorizationHandlers/CollectionAuthorizationHandlerTests.cs
@ -0,0 +1,163 @@
+using System.Security.Claims;
+using Bit.Api.Vault.AuthorizationHandlers;
+using Bit.Core.Context;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Models.Data;
+using Bit.Core.Repositories;
+using Bit.Core.Test.Vault.AutoFixture;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.Authorization;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Api.Test.Vault.AuthorizationHandlers;
+
+[SutProviderCustomize]
+public class CollectionAuthorizationHandlerTests
+{
+    [Theory, CollectionCustomization]
+    [BitAutoData(OrganizationUserType.User, false, true)]
+    [BitAutoData(OrganizationUserType.Admin, false, false)]
+    [BitAutoData(OrganizationUserType.Owner, false, false)]
+    [BitAutoData(OrganizationUserType.Custom, true, false)]
+    [BitAutoData(OrganizationUserType.Owner, true, true)]
+    public async Task CanManageCollectionAccessAsync_Success(
+        OrganizationUserType userType, bool editAnyCollection, bool manageCollections,
+        SutProvider<CollectionAuthorizationHandler> sutProvider,
+        ICollection<Collection> collections,
+        ICollection<CollectionDetails> collectionDetails,
+        CurrentContentOrganization organization)
+    {
+        var actingUserId = Guid.NewGuid();
+        foreach (var collectionDetail in collectionDetails)
+        {
+            collectionDetail.Manage = manageCollections;
+        }
+
+        organization.Type = userType;
+        organization.Permissions.EditAnyCollection = editAnyCollection;
+
+        var context = new AuthorizationHandlerContext(
+            new[] { CollectionOperation.ModifyAccess },
+            new ClaimsPrincipal(),
+            collections);
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
+        sutProvider.GetDependency<ICurrentContext>().OrganizationMembershipAsync(Arg.Any<IOrganizationUserRepository>(), actingUserId).Returns(new[] { organization });
+        sutProvider.GetDependency<ICollectionRepository>().GetManyByUserIdAsync(actingUserId).Returns(collectionDetails);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+
+    [Theory, BitAutoData, CollectionCustomization]
+    public async Task CanManageCollectionAccessAsync_MissingUserId_Failure(
+        SutProvider<CollectionAuthorizationHandler> sutProvider,
+        ICollection<Collection> collections)
+    {
+        var context = new AuthorizationHandlerContext(
+            new[] { CollectionOperation.ModifyAccess },
+            new ClaimsPrincipal(),
+            collections
+        );
+
+        // Simulate missing user id
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns((Guid?)null);
+
+        await sutProvider.Sut.HandleAsync(context);
+        Assert.True(context.HasFailed);
+        sutProvider.GetDependency<ICollectionRepository>().DidNotReceiveWithAnyArgs();
+    }
+
+    [Theory, BitAutoData, CollectionCustomization]
+    public async Task CanManageCollectionAccessAsync_TargetCollectionsMultipleOrgs_Failure(
+        SutProvider<CollectionAuthorizationHandler> sutProvider,
+        IList<Collection> collections)
+    {
+        var actingUserId = Guid.NewGuid();
+
+        // Simulate a collection in a different organization
+        collections.First().OrganizationId = Guid.NewGuid();
+
+        var context = new AuthorizationHandlerContext(
+            new[] { CollectionOperation.ModifyAccess },
+            new ClaimsPrincipal(),
+            collections
+        );
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.HandleAsync(context));
+        Assert.Equal("Requested collections must belong to the same organization.", exception.Message);
+        await sutProvider.GetDependency<ICurrentContext>().DidNotReceiveWithAnyArgs()
+            .OrganizationMembershipAsync(default, default);
+    }
+
+    [Theory, BitAutoData, CollectionCustomization]
+    public async Task CanManageCollectionAccessAsync_MissingOrgMembership_Failure(
+        SutProvider<CollectionAuthorizationHandler> sutProvider,
+        ICollection<Collection> collections,
+        CurrentContentOrganization organization)
+    {
+        var actingUserId = Guid.NewGuid();
+
+        var context = new AuthorizationHandlerContext(
+            new[] { CollectionOperation.ModifyAccess },
+            new ClaimsPrincipal(),
+            collections
+        );
+
+        // Simulate a missing org membership
+        organization.Id = Guid.NewGuid();
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
+        sutProvider.GetDependency<ICurrentContext>().OrganizationMembershipAsync(Arg.Any<IOrganizationUserRepository>(), actingUserId).Returns(new[] { organization });
+
+        await sutProvider.Sut.HandleAsync(context);
+        Assert.True(context.HasFailed);
+        await sutProvider.GetDependency<ICollectionRepository>().DidNotReceiveWithAnyArgs()
+            .GetManyByUserIdAsync(default);
+    }
+
+    [Theory, BitAutoData, CollectionCustomization]
+    public async Task CanManageCollectionAccessAsync_MissingManageCollectionPermission_Failure(
+        SutProvider<CollectionAuthorizationHandler> sutProvider,
+        ICollection<Collection> collections,
+        ICollection<CollectionDetails> collectionDetails,
+        CurrentContentOrganization organization)
+    {
+        var actingUserId = Guid.NewGuid();
+
+        foreach (var collectionDetail in collectionDetails)
+        {
+            collectionDetail.Manage = true;
+        }
+        // Simulate one collection missing the manage permission
+        collectionDetails.First().Manage = false;
+
+        // Ensure the user is not an owner/admin and does not have edit any collection permission
+        organization.Type = OrganizationUserType.User;
+        organization.Permissions.EditAnyCollection = false;
+
+        var context = new AuthorizationHandlerContext(
+            new[] { CollectionOperation.ModifyAccess },
+            new ClaimsPrincipal(),
+            collections
+        );
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
+        sutProvider.GetDependency<ICurrentContext>().OrganizationMembershipAsync(Arg.Any<IOrganizationUserRepository>(), actingUserId).Returns(new[] { organization });
+        sutProvider.GetDependency<ICollectionRepository>().GetManyByUserIdAsync(actingUserId).Returns(collectionDetails);
+
+        await sutProvider.Sut.HandleAsync(context);
+        Assert.True(context.HasFailed);
+        await sutProvider.GetDependency<ICurrentContext>().ReceivedWithAnyArgs().OrganizationMembershipAsync(default, default);
+        await sutProvider.GetDependency<ICollectionRepository>().ReceivedWithAnyArgs()
+            .GetManyByUserIdAsync(default);
+    }
+}