nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-06-30 15:42:48 -05:00
Code Activity

[PM-11360] Remove export permission for providers (#5051)

Browse Source 
- also fix managed collections export from CLI
This commit is contained in:
Thomas Rittson
2024-12-06 08:07:04 +10:00
committed by GitHub
parent 1f1510f4d4
commit 6a9b7ece2b
13 changed files with 428 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
test/Api.Test/Tools/Authorization/VaultExportAuthorizationHandlerTests.cs Normal file
View File

@ -0,0 +1,95 @@
using System.Security.Claims;
using Bit.Api.Tools.Authorization;
using Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
using Bit.Core.Context;
using Bit.Core.Enums;
using Bit.Core.Models.Data;
using Bit.Core.Test.AdminConsole.Helpers;
using Bit.Test.Common.AutoFixture;
using Bit.Test.Common.AutoFixture.Attributes;
using Microsoft.AspNetCore.Authorization;
using NSubstitute;
using Xunit;
namespace Bit.Api.Test.Tools.Authorization;
[SutProviderCustomize]
public class VaultExportAuthorizationHandlerTests
{
public static IEnumerable<object[]> CanExportWholeVault => new List<CurrentContextOrganization>
{
new () { Type = OrganizationUserType.Owner },
new () { Type = OrganizationUserType.Admin },
new ()
{
Type = OrganizationUserType.Custom, Permissions = new Permissions { AccessImportExport = true }
}
}.Select(org => new[] { org });
[Theory]
[BitMemberAutoData(nameof(CanExportWholeVault))]
public async Task ExportAll_PermittedRoles_Success(CurrentContextOrganization org, OrganizationScope orgScope, ClaimsPrincipal user,
SutProvider<VaultExportAuthorizationHandler> sutProvider)
{
org.Id = orgScope;
sutProvider.GetDependency<ICurrentContext>().GetOrganization(orgScope).Returns(org);
var authContext = new AuthorizationHandlerContext(new[] { VaultExportOperations.ExportWholeVault }, user, orgScope);
await sutProvider.Sut.HandleAsync(authContext);
Assert.True(authContext.HasSucceeded);
}
public static IEnumerable<object[]> CannotExportWholeVault => new List<CurrentContextOrganization>
{
new () { Type = OrganizationUserType.User },
new ()
{
Type = OrganizationUserType.Custom, Permissions = new Permissions { AccessImportExport = true }.Invert()
}
}.Select(org => new[] { org });
[Theory]
[BitMemberAutoData(nameof(CannotExportWholeVault))]
public async Task ExportAll_NotPermitted_Failure(CurrentContextOrganization org, OrganizationScope orgScope, ClaimsPrincipal user,
SutProvider<VaultExportAuthorizationHandler> sutProvider)
{
org.Id = orgScope;
sutProvider.GetDependency<ICurrentContext>().GetOrganization(orgScope).Returns(org);
var authContext = new AuthorizationHandlerContext(new[] { VaultExportOperations.ExportWholeVault }, user, orgScope);
await sutProvider.Sut.HandleAsync(authContext);
Assert.False(authContext.HasSucceeded);
}
public static IEnumerable<object[]> CanExportManagedCollections =>
AuthorizationHelpers.AllRoles().Select(o => new[] { o });
[Theory]
[BitMemberAutoData(nameof(CanExportManagedCollections))]
public async Task ExportManagedCollections_PermittedRoles_Success(CurrentContextOrganization org, OrganizationScope orgScope, ClaimsPrincipal user,
SutProvider<VaultExportAuthorizationHandler> sutProvider)
{
org.Id = orgScope;
sutProvider.GetDependency<ICurrentContext>().GetOrganization(orgScope).Returns(org);
var authContext = new AuthorizationHandlerContext(new[] { VaultExportOperations.ExportManagedCollections }, user, orgScope);
await sutProvider.Sut.HandleAsync(authContext);
Assert.True(authContext.HasSucceeded);
}
[Theory]
[BitAutoData([null])]
public async Task ExportManagedCollections_NotPermitted_Failure(CurrentContextOrganization org, OrganizationScope orgScope, ClaimsPrincipal user,
SutProvider<VaultExportAuthorizationHandler> sutProvider)
{
sutProvider.GetDependency<ICurrentContext>().GetOrganization(orgScope).Returns(org);
var authContext = new AuthorizationHandlerContext(new[] { VaultExportOperations.ExportManagedCollections }, user, orgScope);
await sutProvider.Sut.HandleAsync(authContext);
Assert.False(authContext.HasSucceeded);
}
}