nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-06-30 15:42:48 -05:00
Code Activity

[AC-2847] Simplify OrganizationUser and Group PUT methods and tests (#4479)

Browse Source 
* refactor controller logic
* add additional validation checks to update commands
* refactor and improve tests
This commit is contained in:
Thomas Rittson
2024-07-16 10:47:28 +10:00
committed by GitHub
parent 7fee588812
commit 5df0e2180d
11 changed files with 1113 additions and 659 deletions
Download Patch File Download Diff File Expand all files Collapse all files

321
test/Api.Test/AdminConsole/Controllers/GroupsControllerPutTests.cs Normal file
View File

@ -0,0 +1,321 @@
using System.Security.Claims;
using Bit.Api.AdminConsole.Controllers;
using Bit.Api.AdminConsole.Models.Request;
using Bit.Api.Models.Request;
using Bit.Api.Vault.AuthorizationHandlers.Collections;
using Bit.Core;
using Bit.Core.AdminConsole.Entities;
using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
using Bit.Core.AdminConsole.Repositories;
using Bit.Core.Context;
using Bit.Core.Entities;
using Bit.Core.Exceptions;
using Bit.Core.Models.Data;
using Bit.Core.Models.Data.Organizations;
using Bit.Core.Repositories;
using Bit.Core.Services;
using Bit.Core.Utilities;
using Bit.Test.Common.AutoFixture;
using Bit.Test.Common.AutoFixture.Attributes;
using Microsoft.AspNetCore.Authorization;
using NSubstitute;
using Xunit;
namespace Bit.Api.Test.AdminConsole.Controllers;
[ControllerCustomize(typeof(GroupsController))]
[SutProviderCustomize]
public class GroupsControllerPutTests
{
[Theory]
[BitAutoData]
public async Task Put_WithAdminAccess_Success(Organization organization, Group group,
GroupRequestModel groupRequestModel, List<CollectionAccessSelection> existingCollectionAccess,
OrganizationUser savingUser, SutProvider<GroupsController> sutProvider)
{
Put_Setup(sutProvider, organization, true, group, savingUser, existingCollectionAccess, []);
var requestModelCollectionIds = groupRequestModel.Collections.Select(c => c.Id).ToHashSet();
// Authorize all changes for basic happy path test
sutProvider.GetDependency<IAuthorizationService>()
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Any<Collection>(),
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyGroupAccess)))
.Returns(AuthorizationResult.Success());
var response = await sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel);
await sutProvider.GetDependency<ICurrentContext>().Received(1).ManageGroups(organization.Id);
await sutProvider.GetDependency<IUpdateGroupCommand>().Received(1).UpdateGroupAsync(
Arg.Is<Group>(g =>
g.OrganizationId == organization.Id && g.Name == groupRequestModel.Name),
Arg.Is<Organization>(o => o.Id == organization.Id),
// Should overwrite any existing collections
Arg.Is<ICollection<CollectionAccessSelection>>(access =>
access.All(c => requestModelCollectionIds.Contains(c.Id))),
Arg.Is<IEnumerable<Guid>>(guids => guids.ToHashSet().SetEquals(groupRequestModel.Users.ToHashSet())));
Assert.Equal(groupRequestModel.Name, response.Name);
Assert.Equal(organization.Id, response.OrganizationId);
}
[Theory]
[BitAutoData]
public async Task Put_UpdateMembers_NoAdminAccess_CannotAddSelfToGroup(Organization organization, Group group,
GroupRequestModel groupRequestModel, OrganizationUser savingUser, List<Guid> currentGroupUsers,
SutProvider<GroupsController> sutProvider)
{
// Not updating collections
groupRequestModel.Collections = [];
Put_Setup(sutProvider, organization, false, group, savingUser,
currentCollectionAccess: [], currentGroupUsers);
// Saving user is trying to add themselves to the group
var updatedUsers = groupRequestModel.Users.ToList();
updatedUsers.Add(savingUser.Id);
groupRequestModel.Users = updatedUsers;
var exception = await
Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel));
Assert.Contains("You cannot add yourself to groups", exception.Message);
}
[Theory]
[BitAutoData]
public async Task Put_UpdateMembers_NoAdminAccess_AlreadyInGroup_Success(Organization organization, Group group,
GroupRequestModel groupRequestModel, OrganizationUser savingUser, List<Guid> currentGroupUsers,
SutProvider<GroupsController> sutProvider)
{
// Not changing collection access
groupRequestModel.Collections = [];
// Saving user is trying to add themselves to the group
var updatedUsers = groupRequestModel.Users.ToList();
updatedUsers.Add(savingUser.Id);
groupRequestModel.Users = updatedUsers;
// But! they are already a member of the group
currentGroupUsers.Add(savingUser.Id);
Put_Setup(sutProvider, organization, false, group, savingUser, currentCollectionAccess: [], currentGroupUsers);
var response = await sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel);
await sutProvider.GetDependency<ICurrentContext>().Received(1).ManageGroups(organization.Id);
await sutProvider.GetDependency<IUpdateGroupCommand>().Received(1).UpdateGroupAsync(
Arg.Is<Group>(g =>
g.OrganizationId == organization.Id && g.Name == groupRequestModel.Name),
Arg.Is<Organization>(o => o.Id == organization.Id),
Arg.Any<ICollection<CollectionAccessSelection>>(),
Arg.Any<IEnumerable<Guid>>());
Assert.Equal(groupRequestModel.Name, response.Name);
Assert.Equal(organization.Id, response.OrganizationId);
}
[Theory]
[BitAutoData]
public async Task Put_UpdateMembers_WithAdminAccess_CanAddSelfToGroup(Organization organization, Group group,
GroupRequestModel groupRequestModel, OrganizationUser savingUser, List<Guid> currentGroupUsers,
SutProvider<GroupsController> sutProvider)
{
// Not updating collections
groupRequestModel.Collections = [];
Put_Setup(sutProvider, organization, true, group, savingUser,
currentCollectionAccess: [], currentGroupUsers);
// Saving user is trying to add themselves to the group
var updatedUsers = groupRequestModel.Users.ToList();
updatedUsers.Add(savingUser.Id);
groupRequestModel.Users = updatedUsers;
var response = await sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel);
await sutProvider.GetDependency<IUpdateGroupCommand>().Received(1).UpdateGroupAsync(
Arg.Is<Group>(g =>
g.OrganizationId == organization.Id && g.Name == groupRequestModel.Name),
Arg.Is<Organization>(o => o.Id == organization.Id),
Arg.Any<ICollection<CollectionAccessSelection>>(),
Arg.Is<IEnumerable<Guid>>(guids => guids.ToHashSet().SetEquals(groupRequestModel.Users.ToHashSet())));
Assert.Equal(groupRequestModel.Name, response.Name);
Assert.Equal(organization.Id, response.OrganizationId);
}
[Theory]
[BitAutoData]
public async Task Put_UpdateMembers_NoAdminAccess_ProviderUser_Success(Organization organization, Group group,
GroupRequestModel groupRequestModel, List<Guid> currentGroupUsers, SutProvider<GroupsController> sutProvider)
{
// Make collection authorization pass, it's not being tested here
groupRequestModel.Collections = Array.Empty<SelectionReadOnlyRequestModel>();
Put_Setup(sutProvider, organization, false, group, null, currentCollectionAccess: [], currentGroupUsers);
var response = await sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel);
await sutProvider.GetDependency<ICurrentContext>().Received(1).ManageGroups(organization.Id);
await sutProvider.GetDependency<IUpdateGroupCommand>().Received(1).UpdateGroupAsync(
Arg.Is<Group>(g =>
g.OrganizationId == organization.Id && g.Name == groupRequestModel.Name),
Arg.Is<Organization>(o => o.Id == organization.Id),
Arg.Any<ICollection<CollectionAccessSelection>>(),
Arg.Any<IEnumerable<Guid>>());
Assert.Equal(groupRequestModel.Name, response.Name);
Assert.Equal(organization.Id, response.OrganizationId);
}
[Theory]
[BitAutoData]
public async Task Put_UpdateCollections_DoesNotOverwriteUnauthorizedCollections(GroupRequestModel groupRequestModel,
Group group, Organization organization,
SutProvider<GroupsController> sutProvider, OrganizationUser savingUser)
{
var editedCollectionId = CoreHelpers.GenerateComb();
var readonlyCollectionId1 = CoreHelpers.GenerateComb();
var readonlyCollectionId2 = CoreHelpers.GenerateComb();
var currentCollectionAccess = new List<CollectionAccessSelection>
{
new()
{
Id = editedCollectionId,
HidePasswords = true,
Manage = false,
ReadOnly = true
},
new()
{
Id = readonlyCollectionId1,
HidePasswords = false,
Manage = true,
ReadOnly = false
},
new()
{
Id = readonlyCollectionId2,
HidePasswords = false,
Manage = false,
ReadOnly = false
},
};
Put_Setup(sutProvider, organization, false, group, savingUser, currentCollectionAccess, currentGroupUsers: []);
// User is upgrading editedCollectionId to manage
groupRequestModel.Collections = new List<SelectionReadOnlyRequestModel>
{
new() { Id = editedCollectionId, HidePasswords = false, Manage = true, ReadOnly = false }
};
// Authorize the editedCollection
sutProvider.GetDependency<IAuthorizationService>()
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => c.Id == editedCollectionId),
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyGroupAccess)))
.Returns(AuthorizationResult.Success());
// Do not authorize the readonly collections
sutProvider.GetDependency<IAuthorizationService>()
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => c.Id == readonlyCollectionId1 || c.Id == readonlyCollectionId2),
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyGroupAccess)))
.Returns(AuthorizationResult.Failed());
var response = await sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel);
// Expect all collection access (modified and unmodified) to be saved
await sutProvider.GetDependency<ICurrentContext>().Received(1).ManageGroups(organization.Id);
await sutProvider.GetDependency<IUpdateGroupCommand>().Received(1).UpdateGroupAsync(
Arg.Is<Group>(g =>
g.OrganizationId == organization.Id && g.Name == groupRequestModel.Name),
Arg.Is<Organization>(o => o.Id == organization.Id),
Arg.Is<List<CollectionAccessSelection>>(cas =>
cas.Select(c => c.Id).SequenceEqual(currentCollectionAccess.Select(c => c.Id)) &&
cas.First(c => c.Id == editedCollectionId).Manage == true &&
cas.First(c => c.Id == editedCollectionId).ReadOnly == false &&
cas.First(c => c.Id == editedCollectionId).HidePasswords == false),
Arg.Any<IEnumerable<Guid>>());
Assert.Equal(groupRequestModel.Name, response.Name);
Assert.Equal(organization.Id, response.OrganizationId);
}
[Theory]
[BitAutoData]
public async Task Put_UpdateCollections_ThrowsIfSavingUserCannotUpdateCollections(GroupRequestModel groupRequestModel,
Group group, Organization organization,
SutProvider<GroupsController> sutProvider, OrganizationUser savingUser)
{
// Group is currently assigned to the POSTed collections
Put_Setup(sutProvider, organization, false, group, savingUser,
groupRequestModel.Collections.Select(cas => cas.ToSelectionReadOnly()).ToList(),
[]);
var postedCollectionIds = groupRequestModel.Collections.Select(c => c.Id).ToHashSet();
// But the saving user does not have permission to update them
sutProvider.GetDependency<IAuthorizationService>()
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => postedCollectionIds.Contains(c.Id)),
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyGroupAccess)))
.Returns(AuthorizationResult.Failed());
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel));
}
[Theory]
[BitAutoData]
public async Task Put_UpdateCollections_ThrowsIfSavingUserCannotAddCollections(GroupRequestModel groupRequestModel,
Group group, Organization organization,
SutProvider<GroupsController> sutProvider, OrganizationUser savingUser)
{
// Group is not assigned to the POSTed collections
Put_Setup(sutProvider, organization, false, group, savingUser, [], []);
var postedCollectionIds = groupRequestModel.Collections.Select(c => c.Id).ToHashSet();
// But the saving user does not have permission to update them
sutProvider.GetDependency<IAuthorizationService>()
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => postedCollectionIds.Contains(c.Id)),
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyGroupAccess)))
.Returns(AuthorizationResult.Failed());
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel));
}
private void Put_Setup(SutProvider<GroupsController> sutProvider, Organization organization,
bool adminAccess, Group group, OrganizationUser? savingUser, List<CollectionAccessSelection> currentCollectionAccess,
List<Guid> currentGroupUsers)
{
// FCv1 is now fully enabled
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
var orgId = organization.Id = group.OrganizationId;
// Arrange org and orgAbility
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(orgId)
.Returns(new OrganizationAbility
{
Id = organization.Id,
AllowAdminAccessToAllCollectionItems = adminAccess
});
// Arrange user
// If no savingUser provided, they're not an org user, just return a random guid
sutProvider.GetDependency<IUserService>().GetProperUserId(Arg.Any<ClaimsPrincipal>()).Returns(savingUser?.UserId ?? CoreHelpers.GenerateComb());
sutProvider.GetDependency<ICurrentContext>().ManageGroups(orgId).Returns(true);
// Arrange repositories
sutProvider.GetDependency<IGroupRepository>().GetManyUserIdsByIdAsync(group.Id).Returns(currentGroupUsers ?? []);
sutProvider.GetDependency<IGroupRepository>().GetByIdWithCollectionsAsync(group.Id)
.Returns(new Tuple<Group, ICollection<CollectionAccessSelection>>(group, currentCollectionAccess ?? []));
if (savingUser != null)
{
sutProvider.GetDependency<IOrganizationUserRepository>().GetByOrganizationAsync(orgId, savingUser.UserId.Value)
.Returns(savingUser);
}
// Collection repository: return mock Collection objects for any ids passed in
sutProvider.GetDependency<ICollectionRepository>()
.GetManyByManyIdsAsync(Arg.Any<IEnumerable<Guid>>())
.Returns(callInfo => callInfo.Arg<IEnumerable<Guid>>().Select(guid => new Collection { Id = guid }).ToList());
}
}

317
test/Api.Test/AdminConsole/Controllers/GroupsControllerTests.cs
View File

@ -1,12 +1,10 @@
using System.Security.Claims;
using Bit.Api.AdminConsole.Controllers;
using Bit.Api.AdminConsole.Models.Request;
using Bit.Api.Models.Request;
using Bit.Api.Vault.AuthorizationHandlers.Collections;
using Bit.Core;
using Bit.Core.AdminConsole.Entities;
using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
using Bit.Core.AdminConsole.Repositories;
using Bit.Core.Context;
using Bit.Core.Entities;
using Bit.Core.Exceptions;
@ -14,7 +12,6 @@ using Bit.Core.Models.Data;
using Bit.Core.Models.Data.Organizations;
using Bit.Core.Repositories;
using Bit.Core.Services;
using Bit.Core.Utilities;
using Bit.Test.Common.AutoFixture;
using Bit.Test.Common.AutoFixture.Attributes;
using Microsoft.AspNetCore.Authorization;
@ -111,321 +108,9 @@ public class GroupsControllerTests
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyGroupAccess)))
.Returns(AuthorizationResult.Failed());
var exception = await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.Post(organization.Id, groupRequestModel));
Assert.Contains("You are not authorized to grant access to these collections.", exception.Message);
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.Post(organization.Id, groupRequestModel));
await sutProvider.GetDependency<ICreateGroupCommand>().DidNotReceiveWithAnyArgs()
.CreateGroupAsync(default, default, default, default);
}
[Theory]
[BitAutoData]
public async Task Put_AdminsCanAccessAllCollections_Success(Organization organization, Group group,
GroupRequestModel groupRequestModel, List<CollectionAccessSelection> existingCollectionAccess,
SutProvider<GroupsController> sutProvider)
{
group.OrganizationId = organization.Id;
// Enable FC and v1, set Collection Management Setting
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns(
new OrganizationAbility { Id = organization.Id, AllowAdminAccessToAllCollectionItems = true });
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
sutProvider.GetDependency<IGroupRepository>().GetByIdWithCollectionsAsync(group.Id)
.Returns(new Tuple<Group, ICollection<CollectionAccessSelection>>(group, existingCollectionAccess));
sutProvider.GetDependency<ICollectionRepository>()
.GetManyByManyIdsAsync(existingCollectionAccess.Select(c => c.Id))
.Returns(existingCollectionAccess.Select(c => new Collection { Id = c.Id }).ToList());
sutProvider.GetDependency<ICurrentContext>().ManageGroups(organization.Id).Returns(true);
var requestModelCollectionIds = groupRequestModel.Collections.Select(c => c.Id).ToHashSet();
var response = await sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel);
await sutProvider.GetDependency<ICurrentContext>().Received(1).ManageGroups(organization.Id);
await sutProvider.GetDependency<IUpdateGroupCommand>().Received(1).UpdateGroupAsync(
Arg.Is<Group>(g =>
g.OrganizationId == organization.Id && g.Name == groupRequestModel.Name),
Arg.Is<Organization>(o => o.Id == organization.Id),
// Should overwrite any existing collections
Arg.Is<ICollection<CollectionAccessSelection>>(access =>
access.All(c => requestModelCollectionIds.Contains(c.Id))),
Arg.Any<IEnumerable<Guid>>());
Assert.Equal(groupRequestModel.Name, response.Name);
Assert.Equal(organization.Id, response.OrganizationId);
}
[Theory]
[BitAutoData]
public async Task Put_UpdateMembers_AdminsCannotAccessAllCollections_CannotAddSelfToGroup(Organization organization, Group group,
GroupRequestModel groupRequestModel, OrganizationUser savingOrganizationUser, List<Guid> currentGroupUsers,
SutProvider<GroupsController> sutProvider)
{
group.OrganizationId = organization.Id;
// Enable FC and v1
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns(
new OrganizationAbility
{
Id = organization.Id,
AllowAdminAccessToAllCollectionItems = false,
});
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
// Saving user is trying to add themselves to the group
var updatedUsers = groupRequestModel.Users.ToList();
updatedUsers.Add(savingOrganizationUser.Id);
groupRequestModel.Users = updatedUsers;
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
sutProvider.GetDependency<IGroupRepository>().GetByIdWithCollectionsAsync(group.Id)
.Returns(new Tuple<Group, ICollection<CollectionAccessSelection>>(group, new List<CollectionAccessSelection>()));
sutProvider.GetDependency<ICurrentContext>().ManageGroups(organization.Id).Returns(true);
sutProvider.GetDependency<IOrganizationUserRepository>()
.GetByOrganizationAsync(organization.Id, Arg.Any<Guid>())
.Returns(savingOrganizationUser);
sutProvider.GetDependency<IUserService>().GetProperUserId(Arg.Any<ClaimsPrincipal>())
.Returns(savingOrganizationUser.UserId);
sutProvider.GetDependency<IGroupRepository>().GetManyUserIdsByIdAsync(group.Id)
.Returns(currentGroupUsers);
var exception = await
Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel));
Assert.Contains("You cannot add yourself to groups", exception.Message);
}
[Theory]
[BitAutoData]
public async Task Put_UpdateMembers_AdminsCannotAccessAllCollections_AlreadyInGroup_Success(Organization organization, Group group,
GroupRequestModel groupRequestModel, OrganizationUser savingOrganizationUser, List<Guid> currentGroupUsers,
SutProvider<GroupsController> sutProvider)
{
group.OrganizationId = organization.Id;
// Enable FC and v1
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns(
new OrganizationAbility
{
Id = organization.Id,
AllowAdminAccessToAllCollectionItems = false,
});
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
// Saving user is trying to add themselves to the group
var updatedUsers = groupRequestModel.Users.ToList();
updatedUsers.Add(savingOrganizationUser.Id);
groupRequestModel.Users = updatedUsers;
// But! they are already a member of the group
currentGroupUsers.Add(savingOrganizationUser.Id);
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
sutProvider.GetDependency<IGroupRepository>().GetByIdWithCollectionsAsync(group.Id)
.Returns(new Tuple<Group, ICollection<CollectionAccessSelection>>(group, new List<CollectionAccessSelection>()));
sutProvider.GetDependency<ICurrentContext>().ManageGroups(organization.Id).Returns(true);
sutProvider.GetDependency<IOrganizationUserRepository>()
.GetByOrganizationAsync(organization.Id, Arg.Any<Guid>())
.Returns(savingOrganizationUser);
sutProvider.GetDependency<IUserService>().GetProperUserId(Arg.Any<ClaimsPrincipal>())
.Returns(savingOrganizationUser.UserId);
sutProvider.GetDependency<IGroupRepository>().GetManyUserIdsByIdAsync(group.Id)
.Returns(currentGroupUsers);
// Make collection authorization pass, it's not being tested here
groupRequestModel.Collections = Array.Empty<SelectionReadOnlyRequestModel>();
var response = await sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel);
await sutProvider.GetDependency<ICurrentContext>().Received(1).ManageGroups(organization.Id);
await sutProvider.GetDependency<IUpdateGroupCommand>().Received(1).UpdateGroupAsync(
Arg.Is<Group>(g =>
g.OrganizationId == organization.Id && g.Name == groupRequestModel.Name),
Arg.Is<Organization>(o => o.Id == organization.Id),
Arg.Any<ICollection<CollectionAccessSelection>>(),
Arg.Any<IEnumerable<Guid>>());
Assert.Equal(groupRequestModel.Name, response.Name);
Assert.Equal(organization.Id, response.OrganizationId);
}
[Theory]
[BitAutoData]
public async Task Put_UpdateMembers_AdminsCannotAccessAllCollections_ProviderUser_Success(Organization organization, Group group,
GroupRequestModel groupRequestModel, List<Guid> currentGroupUsers, Guid savingUserId,
SutProvider<GroupsController> sutProvider)
{
group.OrganizationId = organization.Id;
// Enable FC and v1
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns(
new OrganizationAbility
{
Id = organization.Id,
AllowAdminAccessToAllCollectionItems = false,
});
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
sutProvider.GetDependency<IGroupRepository>().GetByIdWithCollectionsAsync(group.Id)
.Returns(new Tuple<Group, ICollection<CollectionAccessSelection>>(group, new List<CollectionAccessSelection>()));
sutProvider.GetDependency<ICurrentContext>().ManageGroups(organization.Id).Returns(true);
sutProvider.GetDependency<IOrganizationUserRepository>()
.GetByOrganizationAsync(organization.Id, Arg.Any<Guid>())
.Returns((OrganizationUser)null); // Provider is not an OrganizationUser, so it will always return null
sutProvider.GetDependency<IUserService>().GetProperUserId(Arg.Any<ClaimsPrincipal>())
.Returns(savingUserId);
sutProvider.GetDependency<IGroupRepository>().GetManyUserIdsByIdAsync(group.Id)
.Returns(currentGroupUsers);
// Make collection authorization pass, it's not being tested here
groupRequestModel.Collections = Array.Empty<SelectionReadOnlyRequestModel>();
var response = await sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel);
await sutProvider.GetDependency<ICurrentContext>().Received(1).ManageGroups(organization.Id);
await sutProvider.GetDependency<IUpdateGroupCommand>().Received(1).UpdateGroupAsync(
Arg.Is<Group>(g =>
g.OrganizationId == organization.Id && g.Name == groupRequestModel.Name),
Arg.Is<Organization>(o => o.Id == organization.Id),
Arg.Any<ICollection<CollectionAccessSelection>>(),
Arg.Any<IEnumerable<Guid>>());
Assert.Equal(groupRequestModel.Name, response.Name);
Assert.Equal(organization.Id, response.OrganizationId);
}
[Theory]
[BitAutoData]
public async Task Put_UpdateCollections_OnlyUpdatesCollectionsTheSavingUserCanUpdate(GroupRequestModel groupRequestModel,
Group group, Organization organization,
SutProvider<GroupsController> sutProvider, Guid savingUserId)
{
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
Put_Setup(sutProvider, organization, group, savingUserId);
var editedCollectionId = CoreHelpers.GenerateComb();
var readonlyCollectionId1 = CoreHelpers.GenerateComb();
var readonlyCollectionId2 = CoreHelpers.GenerateComb();
var currentCollectionAccess = new List<CollectionAccessSelection>
{
new()
{
Id = editedCollectionId,
HidePasswords = true,
Manage = false,
ReadOnly = true
},
new()
{
Id = readonlyCollectionId1,
HidePasswords = false,
Manage = true,
ReadOnly = false
},
new()
{
Id = readonlyCollectionId2,
HidePasswords = false,
Manage = false,
ReadOnly = false
},
};
// User is upgrading editedCollectionId to manage
groupRequestModel.Collections = new List<SelectionReadOnlyRequestModel>
{
new() { Id = editedCollectionId, HidePasswords = false, Manage = true, ReadOnly = false }
};
sutProvider.GetDependency<IGroupRepository>()
.GetByIdWithCollectionsAsync(group.Id)
.Returns(new Tuple<Group, ICollection<CollectionAccessSelection>>(group,
currentCollectionAccess));
var currentCollections = currentCollectionAccess
.Select(cas => new Collection { Id = cas.Id }).ToList();
sutProvider.GetDependency<ICollectionRepository>()
.GetManyByManyIdsAsync(Arg.Any<IEnumerable<Guid>>())
.Returns(currentCollections);
// Authorize the editedCollection
sutProvider.GetDependency<IAuthorizationService>()
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => c.Id == editedCollectionId),
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyGroupAccess)))
.Returns(AuthorizationResult.Success());
// Do not authorize the readonly collections
sutProvider.GetDependency<IAuthorizationService>()
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => c.Id == readonlyCollectionId1 || c.Id == readonlyCollectionId2),
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyGroupAccess)))
.Returns(AuthorizationResult.Failed());
var response = await sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel);
// Expect all collection access (modified and unmodified) to be saved
await sutProvider.GetDependency<ICurrentContext>().Received(1).ManageGroups(organization.Id);
await sutProvider.GetDependency<IUpdateGroupCommand>().Received(1).UpdateGroupAsync(
Arg.Is<Group>(g =>
g.OrganizationId == organization.Id && g.Name == groupRequestModel.Name),
Arg.Is<Organization>(o => o.Id == organization.Id),
Arg.Is<List<CollectionAccessSelection>>(cas =>
cas.Select(c => c.Id).SequenceEqual(currentCollectionAccess.Select(c => c.Id)) &&
cas.First(c => c.Id == editedCollectionId).Manage == true &&
cas.First(c => c.Id == editedCollectionId).ReadOnly == false &&
cas.First(c => c.Id == editedCollectionId).HidePasswords == false),
Arg.Any<IEnumerable<Guid>>());
Assert.Equal(groupRequestModel.Name, response.Name);
Assert.Equal(organization.Id, response.OrganizationId);
}
[Theory]
[BitAutoData]
public async Task Put_UpdateCollections_ThrowsIfSavingUserCannotUpdateCollections(GroupRequestModel groupRequestModel,
Group group, Organization organization,
SutProvider<GroupsController> sutProvider, Guid savingUserId)
{
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
Put_Setup(sutProvider, organization, group, savingUserId);
sutProvider.GetDependency<IGroupRepository>()
.GetByIdWithCollectionsAsync(group.Id)
.Returns(new Tuple<Group, ICollection<CollectionAccessSelection>>(group,
groupRequestModel.Collections.Select(cas => cas.ToSelectionReadOnly()).ToList()));
var collections = groupRequestModel.Collections.Select(cas => new Collection { Id = cas.Id }).ToList();
sutProvider.GetDependency<ICollectionRepository>()
.GetManyByManyIdsAsync(Arg.Is<IEnumerable<Guid>>(guids => guids.SequenceEqual(collections.Select(c => c.Id))))
.Returns(collections);
sutProvider.GetDependency<IAuthorizationService>()
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => collections.Contains(c)),
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyGroupAccess)))
.Returns(AuthorizationResult.Failed());
var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel));
Assert.Contains("You must have Can Manage permission", exception.Message);
}
private void Put_Setup(SutProvider<GroupsController> sutProvider, Organization organization,
Group group, Guid savingUserId)
{
var orgId = organization.Id = group.OrganizationId;
sutProvider.GetDependency<ICurrentContext>().ManageGroups(orgId).Returns(true);
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(orgId)
.Returns(new OrganizationAbility
{
Id = organization.Id,
AllowAdminAccessToAllCollectionItems = false
});
sutProvider.GetDependency<IGroupRepository>().GetManyUserIdsByIdAsync(group.Id).Returns(new List<Guid>());
sutProvider.GetDependency<IUserService>().GetProperUserId(Arg.Any<ClaimsPrincipal>()).Returns(savingUserId);
sutProvider.GetDependency<IOrganizationUserRepository>().GetByOrganizationAsync(orgId, savingUserId).Returns(new OrganizationUser
{
Id = savingUserId
});
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
}
}

284
test/Api.Test/AdminConsole/Controllers/OrganizationUserControllerPutTests.cs Normal file
View File

@ -0,0 +1,284 @@
using System.Security.Claims;
using Bit.Api.AdminConsole.Controllers;
using Bit.Api.AdminConsole.Models.Request.Organizations;
using Bit.Api.Models.Request;
using Bit.Api.Vault.AuthorizationHandlers.Collections;
using Bit.Core;
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
using Bit.Core.Context;
using Bit.Core.Entities;
using Bit.Core.Exceptions;
using Bit.Core.Models.Data;
using Bit.Core.Models.Data.Organizations;
using Bit.Core.Repositories;
using Bit.Core.Services;
using Bit.Core.Utilities;
using Bit.Test.Common.AutoFixture;
using Bit.Test.Common.AutoFixture.Attributes;
using Microsoft.AspNetCore.Authorization;
using NSubstitute;
using Xunit;
namespace Bit.Api.Test.AdminConsole.Controllers;
[ControllerCustomize(typeof(OrganizationUsersController))]
[SutProviderCustomize]
public class OrganizationUserControllerPutTests
{
[Theory]
[BitAutoData]
public async Task Put_Success(OrganizationUserUpdateRequestModel model,
OrganizationUser organizationUser, OrganizationAbility organizationAbility,
SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
{
Put_Setup(sutProvider, organizationAbility, organizationUser, savingUserId, currentCollectionAccess: []);
// Authorize all changes for basic happy path test
sutProvider.GetDependency<IAuthorizationService>()
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Any<Collection>(),
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyUserAccess)))
.Returns(AuthorizationResult.Success());
// Save these for later - organizationUser object will be mutated
var orgUserId = organizationUser.Id;
var orgUserEmail = organizationUser.Email;
await sutProvider.Sut.Put(organizationAbility.Id, organizationUser.Id, model);
await sutProvider.GetDependency<IUpdateOrganizationUserCommand>().Received(1).UpdateUserAsync(Arg.Is<OrganizationUser>(ou =>
ou.Type == model.Type &&
ou.Permissions == CoreHelpers.ClassToJsonData(model.Permissions) &&
ou.AccessSecretsManager == model.AccessSecretsManager &&
ou.Id == orgUserId &&
ou.Email == orgUserEmail),
savingUserId,
Arg.Is<List<CollectionAccessSelection>>(cas =>
cas.All(c => model.Collections.Any(m => m.Id == c.Id))),
model.Groups);
}
[Theory]
[BitAutoData]
public async Task Put_NoAdminAccess_CannotAddSelfToCollections(OrganizationUserUpdateRequestModel model,
OrganizationUser organizationUser, OrganizationAbility organizationAbility,
SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
{
// Updating self
organizationUser.UserId = savingUserId;
organizationAbility.AllowAdminAccessToAllCollectionItems = false;
Put_Setup(sutProvider, organizationAbility, organizationUser, savingUserId, currentCollectionAccess: []);
var exception = await Assert.ThrowsAsync<BadRequestException>(async () => await sutProvider.Sut.Put(organizationAbility.Id, organizationUser.Id, model));
Assert.Contains("You cannot add yourself to a collection.", exception.Message);
}
[Theory]
[BitAutoData]
public async Task Put_NoAdminAccess_CannotAddSelfToGroups(OrganizationUserUpdateRequestModel model,
OrganizationUser organizationUser, OrganizationAbility organizationAbility,
SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
{
// Updating self
organizationUser.UserId = savingUserId;
organizationAbility.AllowAdminAccessToAllCollectionItems = false;
Put_Setup(sutProvider, organizationAbility, organizationUser, savingUserId, currentCollectionAccess: []);
// Not changing any collection access
model.Collections = new List<SelectionReadOnlyRequestModel>();
var orgUserId = organizationUser.Id;
var orgUserEmail = organizationUser.Email;
await sutProvider.Sut.Put(organizationAbility.Id, organizationUser.Id, model);
await sutProvider.GetDependency<IUpdateOrganizationUserCommand>().Received(1).UpdateUserAsync(Arg.Is<OrganizationUser>(ou =>
ou.Type == model.Type &&
ou.Permissions == CoreHelpers.ClassToJsonData(model.Permissions) &&
ou.AccessSecretsManager == model.AccessSecretsManager &&
ou.Id == orgUserId &&
ou.Email == orgUserEmail),
savingUserId,
Arg.Is<List<CollectionAccessSelection>>(cas =>
cas.All(c => model.Collections.Any(m => m.Id == c.Id))),
// Main assertion: groups are not updated (are null)
null);
}
[Theory]
[BitAutoData]
public async Task Put_WithAdminAccess_CanAddSelfToGroups(OrganizationUserUpdateRequestModel model,
OrganizationUser organizationUser, OrganizationAbility organizationAbility,
SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
{
// Updating self
organizationUser.UserId = savingUserId;
organizationAbility.AllowAdminAccessToAllCollectionItems = true;
Put_Setup(sutProvider, organizationAbility, organizationUser, savingUserId, currentCollectionAccess: []);
// Not changing any collection access
model.Collections = new List<SelectionReadOnlyRequestModel>();
var orgUserId = organizationUser.Id;
var orgUserEmail = organizationUser.Email;
await sutProvider.Sut.Put(organizationAbility.Id, organizationUser.Id, model);
await sutProvider.GetDependency<IUpdateOrganizationUserCommand>().Received(1).UpdateUserAsync(Arg.Is<OrganizationUser>(ou =>
ou.Type == model.Type &&
ou.Permissions == CoreHelpers.ClassToJsonData(model.Permissions) &&
ou.AccessSecretsManager == model.AccessSecretsManager &&
ou.Id == orgUserId &&
ou.Email == orgUserEmail),
savingUserId,
Arg.Is<List<CollectionAccessSelection>>(cas =>
cas.All(c => model.Collections.Any(m => m.Id == c.Id))),
model.Groups);
}
[Theory]
[BitAutoData]
public async Task Put_UpdateCollections_DoesNotOverwriteUnauthorizedCollections(OrganizationUserUpdateRequestModel model,
OrganizationUser organizationUser, OrganizationAbility organizationAbility,
SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
{
var editedCollectionId = CoreHelpers.GenerateComb();
var readonlyCollectionId1 = CoreHelpers.GenerateComb();
var readonlyCollectionId2 = CoreHelpers.GenerateComb();
var currentCollectionAccess = new List<CollectionAccessSelection>
{
new()
{
Id = editedCollectionId,
HidePasswords = true,
Manage = false,
ReadOnly = true
},
new()
{
Id = readonlyCollectionId1,
HidePasswords = false,
Manage = true,
ReadOnly = false
},
new()
{
Id = readonlyCollectionId2,
HidePasswords = false,
Manage = false,
ReadOnly = false
},
};
Put_Setup(sutProvider, organizationAbility, organizationUser, savingUserId, currentCollectionAccess);
// User is upgrading editedCollectionId to manage
model.Collections = new List<SelectionReadOnlyRequestModel>
{
new() { Id = editedCollectionId, HidePasswords = false, Manage = true, ReadOnly = false }
};
// Save these for later - organizationUser object will be mutated
var orgUserId = organizationUser.Id;
var orgUserEmail = organizationUser.Email;
// Authorize the editedCollection
sutProvider.GetDependency<IAuthorizationService>()
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => c.Id == editedCollectionId),
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyUserAccess)))
.Returns(AuthorizationResult.Success());
// Do not authorize the readonly collections
sutProvider.GetDependency<IAuthorizationService>()
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => c.Id == readonlyCollectionId1 || c.Id == readonlyCollectionId2),
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyUserAccess)))
.Returns(AuthorizationResult.Failed());
await sutProvider.Sut.Put(organizationAbility.Id, organizationUser.Id, model);
// Expect all collection access (modified and unmodified) to be saved
await sutProvider.GetDependency<IUpdateOrganizationUserCommand>().Received(1).UpdateUserAsync(Arg.Is<OrganizationUser>(ou =>
ou.Type == model.Type &&
ou.Permissions == CoreHelpers.ClassToJsonData(model.Permissions) &&
ou.AccessSecretsManager == model.AccessSecretsManager &&
ou.Id == orgUserId &&
ou.Email == orgUserEmail),
savingUserId,
Arg.Is<List<CollectionAccessSelection>>(cas =>
cas.Select(c => c.Id).SequenceEqual(currentCollectionAccess.Select(c => c.Id)) &&
cas.First(c => c.Id == editedCollectionId).Manage == true &&
cas.First(c => c.Id == editedCollectionId).ReadOnly == false &&
cas.First(c => c.Id == editedCollectionId).HidePasswords == false),
model.Groups);
}
[Theory]
[BitAutoData]
public async Task Put_UpdateCollections_ThrowsIfSavingUserCannotUpdateCollections(OrganizationUserUpdateRequestModel model,
OrganizationUser organizationUser, OrganizationAbility organizationAbility,
SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
{
// Target user is currently assigned to the POSTed collections
Put_Setup(sutProvider, organizationAbility, organizationUser, savingUserId,
currentCollectionAccess: model.Collections.Select(cas => cas.ToSelectionReadOnly()).ToList());
var postedCollectionIds = model.Collections.Select(c => c.Id).ToHashSet();
// But the saving user does not have permission to update them
sutProvider.GetDependency<IAuthorizationService>()
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => postedCollectionIds.Contains(c.Id)),
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyUserAccess)))
.Returns(AuthorizationResult.Failed());
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.Put(organizationAbility.Id, organizationUser.Id, model));
}
[Theory]
[BitAutoData]
public async Task Put_UpdateCollections_ThrowsIfSavingUserCannotAddCollections(OrganizationUserUpdateRequestModel model,
OrganizationUser organizationUser, OrganizationAbility organizationAbility,
SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
{
// The target user is not currently assigned to any collections, so we're granting access for the first time
Put_Setup(sutProvider, organizationAbility, organizationUser, savingUserId, currentCollectionAccess: []);
var postedCollectionIds = model.Collections.Select(c => c.Id).ToHashSet();
// But the saving user does not have permission to assign access to the collections
sutProvider.GetDependency<IAuthorizationService>()
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => postedCollectionIds.Contains(c.Id)),
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyUserAccess)))
.Returns(AuthorizationResult.Failed());
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.Put(organizationAbility.Id, organizationUser.Id, model));
}
private void Put_Setup(SutProvider<OrganizationUsersController> sutProvider,
OrganizationAbility organizationAbility, OrganizationUser organizationUser, Guid savingUserId,
List<CollectionAccessSelection> currentCollectionAccess)
{
// FCv1 is now fully enabled
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
var orgId = organizationAbility.Id = organizationUser.OrganizationId;
sutProvider.GetDependency<ICurrentContext>().ManageUsers(orgId).Returns(true);
sutProvider.GetDependency<IOrganizationUserRepository>().GetByIdAsync(organizationUser.Id)
.Returns(organizationUser);
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(orgId)
.Returns(organizationAbility);
sutProvider.GetDependency<IUserService>().GetProperUserId(Arg.Any<ClaimsPrincipal>()).Returns(savingUserId);
// OrganizationUserRepository: return the user with current collection access
sutProvider.GetDependency<IOrganizationUserRepository>()
.GetByIdWithCollectionsAsync(organizationUser.Id)
.Returns(new Tuple<OrganizationUser, ICollection<CollectionAccessSelection>>(organizationUser,
currentCollectionAccess ?? []));
// Collection repository: return mock Collection objects for any ids passed in
sutProvider.GetDependency<ICollectionRepository>()
.GetManyByManyIdsAsync(Arg.Any<IEnumerable<Guid>>())
.Returns(callInfo => callInfo.Arg<IEnumerable<Guid>>().Select(guid => new Collection { Id = guid }).ToList());
}
}

268
test/Api.Test/AdminConsole/Controllers/OrganizationUsersControllerTests.cs
View File

@ -1,13 +1,11 @@
using System.Security.Claims;
using Bit.Api.AdminConsole.Controllers;
using Bit.Api.AdminConsole.Models.Request.Organizations;
using Bit.Api.Models.Request;
using Bit.Api.Vault.AuthorizationHandlers.Collections;
using Bit.Core;
using Bit.Core.AdminConsole.Entities;
using Bit.Core.AdminConsole.Enums;
using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
using Bit.Core.AdminConsole.Repositories;
using Bit.Core.Auth.Entities;
using Bit.Core.Auth.Repositories;
@ -183,241 +181,7 @@ public class OrganizationUsersControllerTests
.Returns(AuthorizationResult.Failed());
sutProvider.GetDependency<IUserService>().GetProperUserId(Arg.Any<ClaimsPrincipal>()).Returns(userId);
var exception = await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.Invite(organizationAbility.Id, model));
Assert.Contains("You are not authorized", exception.Message);
}
[Theory]
[BitAutoData]
public async Task Put_Success(OrganizationUserUpdateRequestModel model,
OrganizationUser organizationUser, OrganizationAbility organizationAbility,
SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
{
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(false);
Put_Setup(sutProvider, organizationAbility, organizationUser, savingUserId, model, true);
// Save these for later - organizationUser object will be mutated
var orgUserId = organizationUser.Id;
var orgUserEmail = organizationUser.Email;
await sutProvider.Sut.Put(organizationAbility.Id, organizationUser.Id, model);
await sutProvider.GetDependency<IUpdateOrganizationUserCommand>().Received(1).UpdateUserAsync(Arg.Is<OrganizationUser>(ou =>
ou.Type == model.Type &&
ou.Permissions == CoreHelpers.ClassToJsonData(model.Permissions) &&
ou.AccessSecretsManager == model.AccessSecretsManager &&
ou.Id == orgUserId &&
ou.Email == orgUserEmail),
savingUserId,
Arg.Is<List<CollectionAccessSelection>>(cas =>
cas.All(c => model.Collections.Any(m => m.Id == c.Id))),
model.Groups);
}
[Theory]
[BitAutoData]
public async Task Put_UpdateSelf_WithoutAllowAdminAccessToAllCollectionItems_CannotAddSelfToCollections(OrganizationUserUpdateRequestModel model,
OrganizationUser organizationUser, OrganizationAbility organizationAbility,
SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
{
// Updating self
organizationUser.UserId = savingUserId;
organizationAbility.AllowAdminAccessToAllCollectionItems = false;
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
Put_Setup(sutProvider, organizationAbility, organizationUser, savingUserId, model, false);
// User is not currently assigned to any collections, which means they're adding themselves
sutProvider.GetDependency<IOrganizationUserRepository>()
.GetByIdWithCollectionsAsync(organizationUser.Id)
.Returns(new Tuple<OrganizationUser, ICollection<CollectionAccessSelection>>(organizationUser,
new List<CollectionAccessSelection>()));
sutProvider.GetDependency<ICollectionRepository>()
.GetManyByManyIdsAsync(Arg.Any<IEnumerable<Guid>>())
.Returns(new List<Collection>());
var orgUserId = organizationUser.Id;
var orgUserEmail = organizationUser.Email;
var exception = await Assert.ThrowsAsync<BadRequestException>(async () => await sutProvider.Sut.Put(organizationAbility.Id, organizationUser.Id, model));
Assert.Contains("You cannot add yourself to a collection.", exception.Message);
}
[Theory]
[BitAutoData]
public async Task Put_UpdateSelf_WithoutAllowAdminAccessToAllCollectionItems_DoesNotUpdateGroups(OrganizationUserUpdateRequestModel model,
OrganizationUser organizationUser, OrganizationAbility organizationAbility,
SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
{
// Updating self
organizationUser.UserId = savingUserId;
organizationAbility.AllowAdminAccessToAllCollectionItems = false;
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
Put_Setup(sutProvider, organizationAbility, organizationUser, savingUserId, model, true);
var orgUserId = organizationUser.Id;
var orgUserEmail = organizationUser.Email;
await sutProvider.Sut.Put(organizationAbility.Id, organizationUser.Id, model);
await sutProvider.GetDependency<IUpdateOrganizationUserCommand>().Received(1).UpdateUserAsync(Arg.Is<OrganizationUser>(ou =>
ou.Type == model.Type &&
ou.Permissions == CoreHelpers.ClassToJsonData(model.Permissions) &&
ou.AccessSecretsManager == model.AccessSecretsManager &&
ou.Id == orgUserId &&
ou.Email == orgUserEmail),
savingUserId,
Arg.Is<List<CollectionAccessSelection>>(cas =>
cas.All(c => model.Collections.Any(m => m.Id == c.Id))),
null);
}
[Theory]
[BitAutoData]
public async Task Put_UpdateSelf_WithAllowAdminAccessToAllCollectionItems_DoesUpdateGroups(OrganizationUserUpdateRequestModel model,
OrganizationUser organizationUser, OrganizationAbility organizationAbility,
SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
{
// Updating self
organizationUser.UserId = savingUserId;
organizationAbility.AllowAdminAccessToAllCollectionItems = true;
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
Put_Setup(sutProvider, organizationAbility, organizationUser, savingUserId, model, true);
var orgUserId = organizationUser.Id;
var orgUserEmail = organizationUser.Email;
await sutProvider.Sut.Put(organizationAbility.Id, organizationUser.Id, model);
await sutProvider.GetDependency<IUpdateOrganizationUserCommand>().Received(1).UpdateUserAsync(Arg.Is<OrganizationUser>(ou =>
ou.Type == model.Type &&
ou.Permissions == CoreHelpers.ClassToJsonData(model.Permissions) &&
ou.AccessSecretsManager == model.AccessSecretsManager &&
ou.Id == orgUserId &&
ou.Email == orgUserEmail),
savingUserId,
Arg.Is<List<CollectionAccessSelection>>(cas =>
cas.All(c => model.Collections.Any(m => m.Id == c.Id))),
model.Groups);
}
[Theory]
[BitAutoData]
public async Task Put_UpdateCollections_OnlyUpdatesCollectionsTheSavingUserCanUpdate(OrganizationUserUpdateRequestModel model,
OrganizationUser organizationUser, OrganizationAbility organizationAbility,
SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
{
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
Put_Setup(sutProvider, organizationAbility, organizationUser, savingUserId, model, false);
var editedCollectionId = CoreHelpers.GenerateComb();
var readonlyCollectionId1 = CoreHelpers.GenerateComb();
var readonlyCollectionId2 = CoreHelpers.GenerateComb();
var currentCollectionAccess = new List<CollectionAccessSelection>
{
new()
{
Id = editedCollectionId,
HidePasswords = true,
Manage = false,
ReadOnly = true
},
new()
{
Id = readonlyCollectionId1,
HidePasswords = false,
Manage = true,
ReadOnly = false
},
new()
{
Id = readonlyCollectionId2,
HidePasswords = false,
Manage = false,
ReadOnly = false
},
};
// User is upgrading editedCollectionId to manage
model.Collections = new List<SelectionReadOnlyRequestModel>
{
new() { Id = editedCollectionId, HidePasswords = false, Manage = true, ReadOnly = false }
};
// Save these for later - organizationUser object will be mutated
var orgUserId = organizationUser.Id;
var orgUserEmail = organizationUser.Email;
sutProvider.GetDependency<IOrganizationUserRepository>()
.GetByIdWithCollectionsAsync(organizationUser.Id)
.Returns(new Tuple<OrganizationUser, ICollection<CollectionAccessSelection>>(organizationUser,
currentCollectionAccess));
var currentCollections = currentCollectionAccess
.Select(cas => new Collection { Id = cas.Id }).ToList();
sutProvider.GetDependency<ICollectionRepository>()
.GetManyByManyIdsAsync(Arg.Any<IEnumerable<Guid>>())
.Returns(currentCollections);
// Authorize the editedCollection
sutProvider.GetDependency<IAuthorizationService>()
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => c.Id == editedCollectionId),
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyUserAccess)))
.Returns(AuthorizationResult.Success());
// Do not authorize the readonly collections
sutProvider.GetDependency<IAuthorizationService>()
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => c.Id == readonlyCollectionId1 || c.Id == readonlyCollectionId2),
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyUserAccess)))
.Returns(AuthorizationResult.Failed());
await sutProvider.Sut.Put(organizationAbility.Id, organizationUser.Id, model);
// Expect all collection access (modified and unmodified) to be saved
await sutProvider.GetDependency<IUpdateOrganizationUserCommand>().Received(1).UpdateUserAsync(Arg.Is<OrganizationUser>(ou =>
ou.Type == model.Type &&
ou.Permissions == CoreHelpers.ClassToJsonData(model.Permissions) &&
ou.AccessSecretsManager == model.AccessSecretsManager &&
ou.Id == orgUserId &&
ou.Email == orgUserEmail),
savingUserId,
Arg.Is<List<CollectionAccessSelection>>(cas =>
cas.Select(c => c.Id).SequenceEqual(currentCollectionAccess.Select(c => c.Id)) &&
cas.First(c => c.Id == editedCollectionId).Manage == true &&
cas.First(c => c.Id == editedCollectionId).ReadOnly == false &&
cas.First(c => c.Id == editedCollectionId).HidePasswords == false),
model.Groups);
}
[Theory]
[BitAutoData]
public async Task Put_UpdateCollections_ThrowsIfSavingUserCannotUpdateCollections(OrganizationUserUpdateRequestModel model,
OrganizationUser organizationUser, OrganizationAbility organizationAbility,
SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
{
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
Put_Setup(sutProvider, organizationAbility, organizationUser, savingUserId, model, false);
sutProvider.GetDependency<IOrganizationUserRepository>()
.GetByIdWithCollectionsAsync(organizationUser.Id)
.Returns(new Tuple<OrganizationUser, ICollection<CollectionAccessSelection>>(organizationUser,
model.Collections.Select(cas => cas.ToSelectionReadOnly()).ToList()));
var collections = model.Collections.Select(cas => new Collection { Id = cas.Id }).ToList();
sutProvider.GetDependency<ICollectionRepository>()
.GetManyByManyIdsAsync(Arg.Is<IEnumerable<Guid>>(guids => guids.SequenceEqual(collections.Select(c => c.Id))))
.Returns(collections);
sutProvider.GetDependency<IAuthorizationService>()
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => collections.Contains(c)),
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyUserAccess)))
.Returns(AuthorizationResult.Failed());
var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.Put(organizationAbility.Id, organizationUser.Id, model));
Assert.Contains("You must have Can Manage permission", exception.Message);
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.Invite(organizationAbility.Id, model));
}
[Theory]
@ -536,36 +300,6 @@ public class OrganizationUsersControllerTests
await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.GetAccountRecoveryDetails(organizationId, bulkRequestModel));
}
private void Put_Setup(SutProvider<OrganizationUsersController> sutProvider, OrganizationAbility organizationAbility,
OrganizationUser organizationUser, Guid savingUserId, OrganizationUserUpdateRequestModel model, bool authorizeAll)
{
var orgId = organizationAbility.Id = organizationUser.OrganizationId;
sutProvider.GetDependency<ICurrentContext>().ManageUsers(orgId).Returns(true);
sutProvider.GetDependency<IOrganizationUserRepository>().GetByIdAsync(organizationUser.Id).Returns(organizationUser);
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(orgId)
.Returns(organizationAbility);
sutProvider.GetDependency<IUserService>().GetProperUserId(Arg.Any<ClaimsPrincipal>()).Returns(savingUserId);
if (authorizeAll)
{
// Simple case: saving user can edit all collections, all collection access is replaced
sutProvider.GetDependency<IOrganizationUserRepository>()
.GetByIdWithCollectionsAsync(organizationUser.Id)
.Returns(new Tuple<OrganizationUser, ICollection<CollectionAccessSelection>>(organizationUser,
model.Collections.Select(cas => cas.ToSelectionReadOnly()).ToList()));
var collections = model.Collections.Select(cas => new Collection { Id = cas.Id }).ToList();
sutProvider.GetDependency<ICollectionRepository>()
.GetManyByManyIdsAsync(Arg.Is<IEnumerable<Guid>>(guids => guids.SequenceEqual(collections.Select(c => c.Id))))
.Returns(collections);
sutProvider.GetDependency<IAuthorizationService>()
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => collections.Contains(c)),
Arg.Is<IEnumerable<IAuthorizationRequirement>>(r => r.Contains(BulkCollectionOperations.ModifyUserAccess)))
.Returns(AuthorizationResult.Success());
}
}
private void Get_Setup(OrganizationAbility organizationAbility,
ICollection<OrganizationUserUserDetails> organizationUsers,
SutProvider<OrganizationUsersController> sutProvider)