From 8f0ef49d7f2a65e763f705d0ad02a2d5a511a232 Mon Sep 17 00:00:00 2001
From: Oscar Hinton <oscar@oscarhinton.com>
Date: Wed, 7 Jul 2021 17:08:18 +0200
Subject: [PATCH] Organization Service permission refactor fix (#1432)

---
 .../Implementations/OrganizationService.cs    |  2 +-
 .../Services/OrganizationServiceTests.cs      | 42 +++++++++++++++++++
 2 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/src/Core/Services/Implementations/OrganizationService.cs b/src/Core/Services/Implementations/OrganizationService.cs
index 23d7fe214e..fb900e6495 100644
--- a/src/Core/Services/Implementations/OrganizationService.cs
+++ b/src/Core/Services/Implementations/OrganizationService.cs
@@ -1961,7 +1961,7 @@ namespace Bit.Core.Services
 
         public async Task<Organization> UpdateOrganizationKeysAsync(Guid orgId, string publicKey, string privateKey)
         {
-            if (_currentContext.ManageResetPassword(orgId))
+            if (!_currentContext.ManageResetPassword(orgId))
             {
                 throw new UnauthorizedAccessException();
             }
diff --git a/test/Core.Test/Services/OrganizationServiceTests.cs b/test/Core.Test/Services/OrganizationServiceTests.cs
index bbb93af51a..652363dd8e 100644
--- a/test/Core.Test/Services/OrganizationServiceTests.cs
+++ b/test/Core.Test/Services/OrganizationServiceTests.cs
@@ -699,5 +699,47 @@ namespace Bit.Core.Test.Services
             Assert.Contains("User does not have two-step login enabled.", result[1].Item2);
             Assert.Contains("User is a member of another organization.", result[2].Item2);
         }
+
+        [Theory, CustomAutoData(typeof(SutProviderCustomization))]
+        public async Task UpdateOrganizationKeysAsync_WithoutManageResetPassword_Throws(Guid orgId, string publicKey,
+            string privateKey, SutProvider<OrganizationService> sutProvider)
+        {
+            var currentContext = Substitute.For<ICurrentContext>();
+            currentContext.ManageResetPassword(orgId).Returns(false);
+
+            await Assert.ThrowsAsync<UnauthorizedAccessException>(
+                () => sutProvider.Sut.UpdateOrganizationKeysAsync(orgId, publicKey, privateKey));
+        }
+
+        [Theory, CustomAutoData(typeof(SutProviderCustomization))]
+        public async Task UpdateOrganizationKeysAsync_KeysAlreadySet_Throws(Organization org, string publicKey,
+            string privateKey, SutProvider<OrganizationService> sutProvider)
+        {
+            var currentContext = sutProvider.GetDependency<ICurrentContext>();
+            currentContext.ManageResetPassword(org.Id).Returns(true);
+
+            var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+            organizationRepository.GetByIdAsync(org.Id).Returns(org);
+
+            var exception = await Assert.ThrowsAsync<BadRequestException>(
+                () => sutProvider.Sut.UpdateOrganizationKeysAsync(org.Id, publicKey, privateKey));
+            Assert.Contains("Organization Keys already exist", exception.Message);
+        }
+
+        [Theory, CustomAutoData(typeof(SutProviderCustomization))]
+        public async Task UpdateOrganizationKeysAsync_KeysAlreadySet_Success(Organization org, string publicKey,
+            string privateKey, SutProvider<OrganizationService> sutProvider)
+        {
+            org.PublicKey = null;
+            org.PrivateKey = null;
+
+            var currentContext = sutProvider.GetDependency<ICurrentContext>();
+            currentContext.ManageResetPassword(org.Id).Returns(true);
+
+            var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
+            organizationRepository.GetByIdAsync(org.Id).Returns(org);
+
+            await sutProvider.Sut.UpdateOrganizationKeysAsync(org.Id, publicKey, privateKey);
+        }
     }
 }