[SM-923] Add project service accounts access policies management endpoints (#3993)

* Add new models * Update repositories * Add new authz handler * Add new query * Add new command * Add authz, command, and query to DI * Add new endpoint to controller * Add query unit tests * Add api unit tests * Add api integration tests
2025-06-30 07:36:14 -05:00 · 2024-05-02 11:06:20 -05:00
parent e302ee1520
commit 7f8cea58d0
23 changed files with 1559 additions and 29 deletions
--- a/test/Api.IntegrationTest/SecretsManager/Controllers/AccessPoliciesControllerTests.cs
+++ b/test/Api.IntegrationTest/SecretsManager/Controllers/AccessPoliciesControllerTests.cs
@ -1169,6 +1169,209 @@ public class AccessPoliciesControllerTests : IClassFixture<ApiApplicationFactory
        Assert.Single(result.GrantedProjectPolicies);
    }

+    [Theory]
+    [InlineData(false, false, false)]
+    [InlineData(false, false, true)]
+    [InlineData(false, true, false)]
+    [InlineData(false, true, true)]
+    [InlineData(true, false, false)]
+    [InlineData(true, false, true)]
+    [InlineData(true, true, false)]
+    public async Task GetProjectServiceAccountsAccessPoliciesAsync_SmAccessDenied_ReturnsNotFound(bool useSecrets, bool accessSecrets, bool organizationEnabled)
+    {
+        var (org, _) = await _organizationHelper.Initialize(useSecrets, accessSecrets, organizationEnabled);
+        await _loginHelper.LoginAsync(_email);
+        var initData = await SetupAccessPolicyRequest(org.Id);
+
+        var response = await _client.GetAsync($"/projects/{initData.ProjectId}/access-policies/service-accounts");
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task GetProjectServiceAccountsAccessPoliciesAsync_NoAccessPolicies_ReturnsEmpty()
+    {
+        var (org, _) = await _organizationHelper.Initialize(true, true, true);
+        await _loginHelper.LoginAsync(_email);
+
+        var project = await _projectRepository.CreateAsync(new Project
+        {
+            OrganizationId = org.Id,
+            Name = _mockEncryptedString,
+        });
+
+        var response = await _client.GetAsync($"/projects/{project.Id}/access-policies/service-accounts");
+        response.EnsureSuccessStatusCode();
+
+        var result = await response.Content.ReadFromJsonAsync<ProjectServiceAccountsAccessPoliciesResponseModel>();
+
+        Assert.NotNull(result);
+        Assert.Empty(result.ServiceAccountAccessPolicies);
+    }
+
+    [Fact]
+    public async Task GetProjectServiceAccountsAccessPoliciesAsync_UserDoesntHavePermission_ReturnsNotFound()
+    {
+        // Create a new account as a user
+        await _organizationHelper.Initialize(true, true, true);
+        var (email, orgUser) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
+        await _loginHelper.LoginAsync(email);
+
+        var initData = await SetupAccessPolicyRequest(orgUser.OrganizationId);
+
+        var response = await _client.GetAsync($"/projects/{initData.ProjectId}/access-policies/service-accounts");
+
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Theory]
+    [InlineData(PermissionType.RunAsAdmin)]
+    [InlineData(PermissionType.RunAsUserWithPermission)]
+    public async Task GetProjectServiceAccountsAccessPoliciesAsync_Success(PermissionType permissionType)
+    {
+        var (org, _) = await _organizationHelper.Initialize(true, true, true);
+        await _loginHelper.LoginAsync(_email);
+        var initData = await SetupAccessPolicyRequest(org.Id);
+
+        if (permissionType == PermissionType.RunAsUserWithPermission)
+        {
+            var (email, orgUser) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
+            await _loginHelper.LoginAsync(email);
+            var accessPolicies = new List<BaseAccessPolicy>
+            {
+                new UserProjectAccessPolicy
+                {
+                    GrantedProjectId = initData.ProjectId, OrganizationUserId = orgUser.Id, Read = true, Write = true,
+                }
+            };
+            await _accessPolicyRepository.CreateManyAsync(accessPolicies);
+        }
+
+        var response = await _client.GetAsync($"/projects/{initData.ProjectId}/access-policies/service-accounts");
+        response.EnsureSuccessStatusCode();
+
+        var result = await response.Content
+            .ReadFromJsonAsync<ProjectServiceAccountsAccessPoliciesResponseModel>();
+
+        Assert.NotNull(result);
+        Assert.NotEmpty(result.ServiceAccountAccessPolicies);
+        Assert.Equal(initData.ServiceAccountId, result.ServiceAccountAccessPolicies.First().ServiceAccountId);
+        Assert.NotNull(result.ServiceAccountAccessPolicies.First().ServiceAccountName);
+        Assert.NotNull(result.ServiceAccountAccessPolicies.First().GrantedProjectName);
+    }
+
+    [Theory]
+    [InlineData(false, false, false)]
+    [InlineData(false, false, true)]
+    [InlineData(false, true, false)]
+    [InlineData(false, true, true)]
+    [InlineData(true, false, false)]
+    [InlineData(true, false, true)]
+    [InlineData(true, true, false)]
+    public async Task PutProjectServiceAccountsAccessPoliciesAsync_SmNotEnabled_NotFound(bool useSecrets,
+        bool accessSecrets, bool organizationEnabled)
+    {
+        var (_, organizationUser) =
+            await _organizationHelper.Initialize(useSecrets, accessSecrets, organizationEnabled);
+        await _loginHelper.LoginAsync(_email);
+
+        var (projectId, serviceAccountId) = await CreateProjectAndServiceAccountAsync(organizationUser.OrganizationId);
+
+        var request = new ProjectServiceAccountsAccessPoliciesRequestModel
+        {
+            ServiceAccountAccessPolicyRequests =
+            [
+                new AccessPolicyRequest { GranteeId = serviceAccountId, Read = true, Write = true }
+            ]
+        };
+
+        var response = await _client.PutAsJsonAsync($"/projects/{projectId}/access-policies/service-accounts", request);
+
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task PutProjectServiceAccountsAccessPoliciesAsync_UserHasNoPermission_ReturnsNotFound()
+    {
+        var (org, _) = await _organizationHelper.Initialize(true, true, true);
+        var (email, _) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
+        await _loginHelper.LoginAsync(email);
+
+        var (projectId, serviceAccountId) = await CreateProjectAndServiceAccountAsync(org.Id);
+
+        var request = new ProjectServiceAccountsAccessPoliciesRequestModel
+        {
+            ServiceAccountAccessPolicyRequests =
+            [
+                new AccessPolicyRequest { GranteeId = serviceAccountId, Read = true, Write = true }
+            ]
+        };
+
+        var response = await _client.PutAsJsonAsync($"/projects/{projectId}/access-policies/service-accounts", request);
+
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Theory]
+    [InlineData(PermissionType.RunAsAdmin)]
+    [InlineData(PermissionType.RunAsUserWithPermission)]
+    public async Task PutProjectServiceAccountsAccessPoliciesAsync_MismatchedOrgIds_ReturnsNotFound(
+        PermissionType permissionType)
+    {
+        var (_, organizationUser) = await _organizationHelper.Initialize(true, true, true);
+        await _loginHelper.LoginAsync(_email);
+
+        var (project, request) =
+            await SetupProjectServiceAccountsAccessPoliciesRequestAsync(permissionType, organizationUser,
+                false);
+
+        var newOrg = await _organizationHelper.CreateSmOrganizationAsync();
+
+        var serviceAccount = await _serviceAccountRepository.CreateAsync(new ServiceAccount
+        {
+            Name = _mockEncryptedString,
+            OrganizationId = newOrg.Id
+        });
+        request.ServiceAccountAccessPolicyRequests =
+        [
+            new AccessPolicyRequest { GranteeId = serviceAccount.Id, Read = true, Write = true }
+        ];
+
+        var response =
+            await _client.PutAsJsonAsync($"/projects/{project.Id}/access-policies/service-accounts", request);
+
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Theory]
+    [InlineData(PermissionType.RunAsAdmin, false)]
+    [InlineData(PermissionType.RunAsAdmin, true)]
+    [InlineData(PermissionType.RunAsUserWithPermission, false)]
+    [InlineData(PermissionType.RunAsUserWithPermission, true)]
+    public async Task PutProjectServiceAccountsAccessPoliciesAsync_Success(PermissionType permissionType,
+        bool createPreviousAccessPolicy)
+    {
+        var (_, organizationUser) = await _organizationHelper.Initialize(true, true, true);
+        await _loginHelper.LoginAsync(_email);
+
+        var (project, request) =
+            await SetupProjectServiceAccountsAccessPoliciesRequestAsync(permissionType, organizationUser,
+                createPreviousAccessPolicy);
+
+        var response =
+            await _client.PutAsJsonAsync($"/projects/{project.Id}/access-policies/service-accounts", request);
+        response.EnsureSuccessStatusCode();
+
+        var result = await response.Content
+            .ReadFromJsonAsync<ProjectServiceAccountsAccessPoliciesResponseModel>();
+
+        Assert.NotNull(result);
+        Assert.Equal(request.ServiceAccountAccessPolicyRequests.First().GranteeId,
+            result.ServiceAccountAccessPolicies.First().ServiceAccountId);
+        Assert.True(result.ServiceAccountAccessPolicies.First().Read);
+        Assert.True(result.ServiceAccountAccessPolicies.First().Write);
+        Assert.Single(result.ServiceAccountAccessPolicies);
+    }
+
    private async Task<RequestSetupData> SetupAccessPolicyRequest(Guid organizationId)
    {
        var project = await _projectRepository.CreateAsync(new Project
@ -1184,13 +1387,15 @@ public class AccessPoliciesControllerTests : IClassFixture<ApiApplicationFactory
        });

        var accessPolicy = await _accessPolicyRepository.CreateManyAsync(
-            new List<BaseAccessPolicy>
+        [
+            new ServiceAccountProjectAccessPolicy
            {
-                new ServiceAccountProjectAccessPolicy
-                {
-                    Read = true, Write = true, ServiceAccountId = serviceAccount.Id, GrantedProjectId = project.Id,
-                },
-            });
+                Read = true,
+                Write = true,
+                ServiceAccountId = serviceAccount.Id,
+                GrantedProjectId = project.Id,
+            }
+        ]);

        return new RequestSetupData
        {
@ -1395,6 +1600,65 @@ public class AccessPoliciesControllerTests : IClassFixture<ApiApplicationFactory
        return (serviceAccount, request);
    }

+    private async Task<(Project project, ProjectServiceAccountsAccessPoliciesRequestModel request)>
+        SetupProjectServiceAccountsAccessPoliciesRequestAsync(
+            PermissionType permissionType, OrganizationUser organizationUser, bool createPreviousAccessPolicy)
+    {
+        var (project, currentUser) = await SetupProjectPeoplePermissionAsync(permissionType, organizationUser);
+        var serviceAccount = await _serviceAccountRepository.CreateAsync(new ServiceAccount
+        {
+            Name = _mockEncryptedString,
+            OrganizationId = currentUser.OrganizationId
+        });
+
+        var accessPolicies = new List<BaseAccessPolicy>
+        {
+            new UserServiceAccountAccessPolicy
+            {
+                GrantedServiceAccountId = serviceAccount.Id,
+                OrganizationUserId = currentUser.Id,
+                Read = true,
+                Write = true
+            }
+        };
+
+        var request = new ProjectServiceAccountsAccessPoliciesRequestModel
+        {
+            ServiceAccountAccessPolicyRequests =
+            [
+                new() { GranteeId = serviceAccount.Id, Read = true, Write = true }
+            ]
+        };
+
+        if (createPreviousAccessPolicy)
+        {
+            var anotherServiceAccount = await _serviceAccountRepository.CreateAsync(new ServiceAccount
+            {
+                Name = _mockEncryptedString,
+                OrganizationId = currentUser.OrganizationId
+            });
+
+            accessPolicies.Add(new UserServiceAccountAccessPolicy
+            {
+                GrantedServiceAccountId = anotherServiceAccount.Id,
+                OrganizationUserId = currentUser.Id,
+                Read = true,
+                Write = true
+            });
+            accessPolicies.Add(new ServiceAccountProjectAccessPolicy
+            {
+                GrantedProjectId = project.Id,
+                ServiceAccountId = anotherServiceAccount.Id,
+                Read = true,
+                Write = true
+            });
+        }
+
+        await _accessPolicyRepository.CreateManyAsync(accessPolicies);
+
+        return (project, request);
+    }
+
    private class RequestSetupData
    {
        public Guid ProjectId { get; set; }