[SM-501] Add support for revoking access tokens (#2692)

* Add support for revoking access tokens
2025-06-30 15:42:48 -05:00 · 2023-02-16 10:51:02 +01:00
parent e6635ff590
commit 7a209aa3bb
13 changed files with 315 additions and 5 deletions
--- a/test/Api.IntegrationTest/SecretsManager/Controllers/ServiceAccountsControllerTests.cs
+++ b/test/Api.IntegrationTest/SecretsManager/Controllers/ServiceAccountsControllerTests.cs
@ -1,6 +1,7 @@
 using System.Net;
 using System.Net.Http.Headers;
 using Bit.Api.IntegrationTest.Factories;
+using Bit.Api.IntegrationTest.SecretsManager.Enums;
 using Bit.Api.Models.Response;
 using Bit.Api.SecretsManager.Models.Request;
 using Bit.Api.SecretsManager.Models.Response;
@ -21,9 +22,11 @@ public class ServiceAccountsControllerTest : IClassFixture<ApiApplicationFactory
    private const string _mockNewName =
        "2.3AZ+WNBIoU5xzmVFNcoWzz==|1MsPIYuRfdOHfu/0uY6H2Q==|/98xy4wb6pHP1VTZ9JcNCYgQjEUMFPlqJgCwRk1YXKg=";

-    private readonly IAccessPolicyRepository _accessPolicyRepository;
    private readonly HttpClient _client;
    private readonly ApiApplicationFactory _factory;
+
+    private readonly IAccessPolicyRepository _accessPolicyRepository;
+    private readonly IApiKeyRepository _apiKeyRepository;
    private readonly IServiceAccountRepository _serviceAccountRepository;

    private string _email = null!;
@ -35,6 +38,7 @@ public class ServiceAccountsControllerTest : IClassFixture<ApiApplicationFactory
        _client = _factory.CreateClient();
        _serviceAccountRepository = _factory.GetService<IServiceAccountRepository>();
        _accessPolicyRepository = _factory.GetService<IAccessPolicyRepository>();
+        _apiKeyRepository = _factory.GetService<IApiKeyRepository>();
    }

    public async Task InitializeAsync()
@ -426,6 +430,130 @@ public class ServiceAccountsControllerTest : IClassFixture<ApiApplicationFactory
        AssertHelper.AssertRecent(result.CreationDate);
    }

+    [Theory]
+    [InlineData(false, false)]
+    [InlineData(true, false)]
+    [InlineData(false, true)]
+    public async Task RevokeAccessToken_SmNotEnabled_NotFound(bool useSecrets, bool accessSecrets)
+    {
+        var (org, _) = await _organizationHelper.Initialize(useSecrets, accessSecrets);
+        await LoginAsync(_email);
+
+        var serviceAccount = await _serviceAccountRepository.CreateAsync(new ServiceAccount
+        {
+            OrganizationId = org.Id,
+            Name = _mockEncryptedString,
+        });
+
+        var accessToken = await _apiKeyRepository.CreateAsync(new ApiKey
+        {
+            ServiceAccountId = org.Id,
+            Name = _mockEncryptedString,
+            ExpireAt = DateTime.UtcNow.AddDays(30),
+        });
+
+        var request = new RevokeAccessTokensRequest
+        {
+            Ids = new[] { accessToken.Id },
+        };
+
+        var response = await _client.PostAsJsonAsync($"/service-accounts/{serviceAccount.Id}/access-tokens/revoke", request);
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Theory]
+    [InlineData(false)]
+    [InlineData(true)]
+    public async Task RevokeAccessToken_User_NoPermission(bool hasReadAccess)
+    {
+        var (org, _) = await _organizationHelper.Initialize(true, true);
+        var (email, orgUser) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
+        await LoginAsync(email);
+
+        var serviceAccount = await _serviceAccountRepository.CreateAsync(new ServiceAccount
+        {
+            OrganizationId = org.Id,
+            Name = _mockEncryptedString,
+        });
+
+        if (hasReadAccess)
+        {
+            await _accessPolicyRepository.CreateManyAsync(new List<BaseAccessPolicy> {
+                new UserServiceAccountAccessPolicy
+                {
+                    GrantedServiceAccountId = serviceAccount.Id,
+                    OrganizationUserId = orgUser.Id,
+                    Write = false,
+                    Read = true,
+                },
+            });
+        }
+
+        var accessToken = await _apiKeyRepository.CreateAsync(new ApiKey
+        {
+            ServiceAccountId = org.Id,
+            Name = _mockEncryptedString,
+            ExpireAt = DateTime.UtcNow.AddDays(30),
+        });
+
+        var request = new RevokeAccessTokensRequest
+        {
+            Ids = new[] { accessToken.Id },
+        };
+
+        var response = await _client.PostAsJsonAsync($"/service-accounts/{serviceAccount.Id}/access-tokens/revoke", request);
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Theory]
+    [InlineData(PermissionType.RunAsAdmin)]
+    [InlineData(PermissionType.RunAsUserWithPermission)]
+    public async Task RevokeAccessToken_Success(PermissionType permissionType)
+    {
+        var (org, _) = await _organizationHelper.Initialize(true, true);
+
+        var serviceAccount = await _serviceAccountRepository.CreateAsync(new ServiceAccount
+        {
+            OrganizationId = org.Id,
+            Name = _mockEncryptedString,
+        });
+
+        if (permissionType == PermissionType.RunAsAdmin)
+        {
+            await LoginAsync(_email);
+        }
+        else
+        {
+            var (email, orgUser) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
+            await LoginAsync(email);
+
+            await _accessPolicyRepository.CreateManyAsync(new List<BaseAccessPolicy> {
+                new UserServiceAccountAccessPolicy
+                {
+                    GrantedServiceAccountId = serviceAccount.Id,
+                    OrganizationUserId = orgUser.Id,
+                    Write = true,
+                    Read = true,
+                },
+            });
+        }
+
+        var accessToken = await _apiKeyRepository.CreateAsync(new ApiKey
+        {
+            ServiceAccountId = org.Id,
+            Name = _mockEncryptedString,
+            ExpireAt = DateTime.UtcNow.AddDays(30),
+        });
+
+        var request = new RevokeAccessTokensRequest
+        {
+            Ids = new[] { accessToken.Id },
+        };
+
+        var response = await _client.PostAsJsonAsync($"/service-accounts/{serviceAccount.Id}/access-tokens/revoke", request);
+        response.EnsureSuccessStatusCode();
+    }
+
    private async Task CreateUserPolicyAsync(Guid userId, Guid serviceAccountId, bool read, bool write)
    {
        var policy = new UserServiceAccountAccessPolicy