[AC-1174] CollectionUser and CollectionGroup authorization handlers (#3194)

* [AC-1174] Introduce BulkAuthorizationHandler.cs * [AC-1174] Introduce CollectionUserAuthorizationHandler * [AC-1174] Add CreateForNewCollection CollectionUser requirement * [AC-1174] Add some more details to CollectionCustomization * [AC-1174] Formatting * [AC-1174] Add CollectionGroupOperation.cs * [AC-1174] Introduce CollectionGroupAuthorizationHandler.cs * [AC-1174] Cleanup CollectionFixture customization Implement and use re-usable extension method to support seeded Guids * [AC-1174] Introduce WithValueFromList AutoFixtureExtensions Modify CollectionCustomization to use multiple organization Ids for auto generated test data * [AC-1174] Simplify CollectionUserAuthorizationHandler.cs Modify the authorization handler to only perform authorization logic. Validation logic will need to be handled by any calling commands/controllers instead. * [AC-1174] Introduce shared CollectionAccessAuthorizationHandlerBase A shared base authorization handler was created for both CollectionUser and CollectionGroup resources, as they share the same underlying management authorization logic. * [AC-1174] Update CollectionUserAuthorizationHandler and CollectionGroupAuthorizationHandler to use the new CollectionAccessAuthorizationHandlerBase class * [AC-1174] Formatting * [AC-1174] Cleanup typo and redundant ToList() call * [AC-1174] Add check for provider users * [AC-1174] Reduce nested loops * [AC-1174] Introduce ICollectionAccess.cs * [AC-1174] Remove individual CollectionGroup and CollectionUser auth handlers and use base class instead * [AC-1174] Tweak unit test to fail minimally * [AC-1174] Reorganize authorization handlers in Core project * [AC-1174] Introduce new AddCoreAuthorizationHandlers() extension method * [AC-1174] Move CollectionAccessAuthorizationHandler into Api project * [AC-1174] Move CollectionFixture to Vault folder * [AC-1174] Rename operation to CreateUpdateDelete * [AC-1174] Require single organization for collection access authorization handler - Add requirement that all target collections must belong to the same organization - Simplify logic related to multiple organizations - Update tests and helpers - Use ToHashSet to improve lookup time * [AC-1174] Fix null reference exception * [AC-1174] Throw bad request exception when collections belong to different organizations * [AC-1174] Switch to CollectionAuthorizationHandler instead of CollectionAccessAuthorizationHandler to reduce complexity
2025-07-04 01:22:50 -05:00 · 2023-08-30 14:13:58 -07:00
parent e87c20c7a1
commit 5dc3ca85c3
9 changed files with 497 additions and 1 deletions
--- a/test/Core.Test/Utilities/BulkAuthorizationHandlerTests.cs
+++ b/test/Core.Test/Utilities/BulkAuthorizationHandlerTests.cs
@ -0,0 +1,72 @@
+using System.Security.Claims;
+using Bit.Core.Utilities;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+using Xunit;
+
+namespace Bit.Core.Test.Utilities;
+
+public class BulkAuthorizationHandlerTests
+{
+    [Fact]
+    public async Task HandleRequirementAsync_SingleResource_Success()
+    {
+        var handler = new TestBulkAuthorizationHandler();
+        var context = new AuthorizationHandlerContext(
+            new[] { new TestOperationRequirement() },
+            new ClaimsPrincipal(),
+            new TestResource());
+        await handler.HandleAsync(context);
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Fact]
+    public async Task HandleRequirementAsync_BulkResource_Success()
+    {
+        var handler = new TestBulkAuthorizationHandler();
+        var context = new AuthorizationHandlerContext(
+            new[] { new TestOperationRequirement() },
+            new ClaimsPrincipal(),
+            new[] { new TestResource(), new TestResource() });
+        await handler.HandleAsync(context);
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Fact]
+    public async Task HandleRequirementAsync_NoResources_Failure()
+    {
+        var handler = new TestBulkAuthorizationHandler();
+        var context = new AuthorizationHandlerContext(
+            new[] { new TestOperationRequirement() },
+            new ClaimsPrincipal(),
+            null);
+        await handler.HandleAsync(context);
+        Assert.False(context.HasSucceeded);
+    }
+
+    [Fact]
+    public async Task HandleRequirementAsync_WrongResourceType_Failure()
+    {
+        var handler = new TestBulkAuthorizationHandler();
+        var context = new AuthorizationHandlerContext(
+            new[] { new TestOperationRequirement() },
+            new ClaimsPrincipal(),
+            new object());
+        await handler.HandleAsync(context);
+        Assert.False(context.HasSucceeded);
+    }
+
+    private class TestOperationRequirement : OperationAuthorizationRequirement { }
+
+    private class TestResource { }
+
+    private class TestBulkAuthorizationHandler : BulkAuthorizationHandler<TestOperationRequirement, TestResource>
+    {
+        protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
+            TestOperationRequirement requirement,
+            ICollection<TestResource> resources)
+        {
+            context.Succeed(requirement);
+        }
+    }
+}