nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-06-30 15:42:48 -05:00
Code Activity

[AC-2027] Update Flexible Collections logic to use organization property (#3644)

Browse Source 
* Update optionality to use org.FlexibleCollections

Also break old feature flag key to ensure it's never enabled

* Add logic to set defaults for collection management setting

* Update optionality logic to use org property

* Add comments

* Add helper method for getting individual orgAbility

* Fix validate user update permissions interface

* Fix tests

* dotnet format

* Fix more tests

* Simplify self-hosted update logic

* Fix mapping

* Use new getOrganizationAbility method

* Refactor invite and save orgUser methods

Pass in whole organization object instead of using OrganizationAbility

* fix CipherService tests

* dotnet format

* Remove manager check to simplify this set of changes

* Misc cleanup before review

* Fix undefined variable

* Refactor bulk-access endpoint to avoid early repo call

* Restore manager check

* Add tests for UpdateOrganizationLicenseCommand

* Add nullable regions

* Delete unused dependency

* dotnet format

* Fix test
This commit is contained in:
Thomas Rittson
2024-01-17 22:33:35 +10:00
committed by GitHub
parent ef37cdc71a
commit 96f9fbb951
27 changed files with 472 additions and 411 deletions
Download Patch File Download Diff File Expand all files Collapse all files

202
test/Api.Test/Controllers/CollectionsControllerTests.cs
View File

@ -2,16 +2,14 @@
using Bit.Api.Controllers;
using Bit.Api.Models.Request;
using Bit.Api.Vault.AuthorizationHandlers.Collections;
using Bit.Core;
using Bit.Core.AdminConsole.Entities;
using Bit.Core.Context;
using Bit.Core.Entities;
using Bit.Core.Exceptions;
using Bit.Core.Models.Data;
using Bit.Core.Models.Data.Organizations;
using Bit.Core.OrganizationFeatures.OrganizationCollections.Interfaces;
using Bit.Core.Repositories;
using Bit.Core.Services;
using Bit.Core.Test.AutoFixture;
using Bit.Test.Common.AutoFixture;
using Bit.Test.Common.AutoFixture.Attributes;
using Microsoft.AspNetCore.Authorization;
@ -22,16 +20,17 @@ namespace Bit.Api.Test.Controllers;
[ControllerCustomize(typeof(CollectionsController))]
[SutProviderCustomize]
[FeatureServiceCustomize(FeatureFlagKeys.FlexibleCollections)]
public class CollectionsControllerTests
{
[Theory, BitAutoData]
public async Task Post_Success(Guid orgId, CollectionRequestModel collectionRequest,
public async Task Post_Success(OrganizationAbility organizationAbility, CollectionRequestModel collectionRequest,
SutProvider<CollectionsController> sutProvider)
{
ArrangeOrganizationAbility(sutProvider, organizationAbility);
Collection ExpectedCollection() => Arg.Is<Collection>(c =>
c.Name == collectionRequest.Name && c.ExternalId == collectionRequest.ExternalId &&
c.OrganizationId == orgId);
c.OrganizationId == organizationAbility.Id);
sutProvider.GetDependency<IAuthorizationService>()
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(),
@ -39,7 +38,7 @@ public class CollectionsControllerTests
Arg.Is<IEnumerable<IAuthorizationRequirement>>(r => r.Contains(BulkCollectionOperations.Create)))
.Returns(AuthorizationResult.Success());
_ = await sutProvider.Sut.Post(orgId, collectionRequest);
_ = await sutProvider.Sut.Post(organizationAbility.Id, collectionRequest);
await sutProvider.GetDependency<ICollectionService>()
.Received(1)
@ -49,8 +48,11 @@ public class CollectionsControllerTests
[Theory, BitAutoData]
public async Task Put_Success(Collection collection, CollectionRequestModel collectionRequest,
SutProvider<CollectionsController> sutProvider)
SutProvider<CollectionsController> sutProvider, OrganizationAbility organizationAbility)
{
ArrangeOrganizationAbility(sutProvider, organizationAbility);
collection.OrganizationId = organizationAbility.Id;
Collection ExpectedCollection() => Arg.Is<Collection>(c => c.Id == collection.Id &&
c.Name == collectionRequest.Name && c.ExternalId == collectionRequest.ExternalId &&
c.OrganizationId == collection.OrganizationId);
@ -75,8 +77,11 @@ public class CollectionsControllerTests
[Theory, BitAutoData]
public async Task Put_WithNoCollectionPermission_ThrowsNotFound(Collection collection, CollectionRequestModel collectionRequest,
SutProvider<CollectionsController> sutProvider)
SutProvider<CollectionsController> sutProvider, OrganizationAbility organizationAbility)
{
ArrangeOrganizationAbility(sutProvider, organizationAbility);
collection.OrganizationId = organizationAbility.Id;
sutProvider.GetDependency<IAuthorizationService>()
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(),
collection,
@ -91,8 +96,11 @@ public class CollectionsControllerTests
}
[Theory, BitAutoData]
public async Task GetOrganizationCollectionsWithGroups_WithReadAllPermissions_GetsAllCollections(Organization organization, Guid userId, SutProvider<CollectionsController> sutProvider)
public async Task GetOrganizationCollectionsWithGroups_WithReadAllPermissions_GetsAllCollections(OrganizationAbility organizationAbility,
Guid userId, SutProvider<CollectionsController> sutProvider)
{
ArrangeOrganizationAbility(sutProvider, organizationAbility);
sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
sutProvider.GetDependency<IAuthorizationService>()
@ -102,18 +110,20 @@ public class CollectionsControllerTests
Arg.Is<IEnumerable<IAuthorizationRequirement>>(requirements =>
requirements.Cast<CollectionOperationRequirement>().All(operation =>
operation.Name == nameof(CollectionOperations.ReadAllWithAccess)
&& operation.OrganizationId == organization.Id)))
&& operation.OrganizationId == organizationAbility.Id)))
.Returns(AuthorizationResult.Success());
await sutProvider.Sut.GetManyWithDetails(organization.Id);
await sutProvider.Sut.GetManyWithDetails(organizationAbility.Id);
await sutProvider.GetDependency<ICollectionRepository>().Received(1).GetManyByUserIdWithAccessAsync(userId, organization.Id, Arg.Any<bool>());
await sutProvider.GetDependency<ICollectionRepository>().Received(1).GetManyByOrganizationIdWithAccessAsync(organization.Id);
await sutProvider.GetDependency<ICollectionRepository>().Received(1).GetManyByUserIdWithAccessAsync(userId, organizationAbility.Id, Arg.Any<bool>());
await sutProvider.GetDependency<ICollectionRepository>().Received(1).GetManyByOrganizationIdWithAccessAsync(organizationAbility.Id);
}
[Theory, BitAutoData]
public async Task GetOrganizationCollectionsWithGroups_MissingReadAllPermissions_GetsAssignedCollections(Organization organization, Guid userId, SutProvider<CollectionsController> sutProvider)
public async Task GetOrganizationCollectionsWithGroups_MissingReadAllPermissions_GetsAssignedCollections(
OrganizationAbility organizationAbility, Guid userId, SutProvider<CollectionsController> sutProvider)
{
ArrangeOrganizationAbility(sutProvider, organizationAbility);
sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
sutProvider.GetDependency<IAuthorizationService>()
@ -123,7 +133,7 @@ public class CollectionsControllerTests
Arg.Is<IEnumerable<IAuthorizationRequirement>>(requirements =>
requirements.Cast<CollectionOperationRequirement>().All(operation =>
operation.Name == nameof(CollectionOperations.ReadAllWithAccess)
&& operation.OrganizationId == organization.Id)))
&& operation.OrganizationId == organizationAbility.Id)))
.Returns(AuthorizationResult.Failed());
sutProvider.GetDependency<IAuthorizationService>()
@ -135,15 +145,19 @@ public class CollectionsControllerTests
operation.Name == nameof(BulkCollectionOperations.ReadWithAccess))))
.Returns(AuthorizationResult.Success());
await sutProvider.Sut.GetManyWithDetails(organization.Id);
await sutProvider.Sut.GetManyWithDetails(organizationAbility.Id);
await sutProvider.GetDependency<ICollectionRepository>().Received(1).GetManyByUserIdWithAccessAsync(userId, organization.Id, Arg.Any<bool>());
await sutProvider.GetDependency<ICollectionRepository>().DidNotReceive().GetManyByOrganizationIdWithAccessAsync(organization.Id);
await sutProvider.GetDependency<ICollectionRepository>().Received(1).GetManyByUserIdWithAccessAsync(userId, organizationAbility.Id, Arg.Any<bool>());
await sutProvider.GetDependency<ICollectionRepository>().DidNotReceive().GetManyByOrganizationIdWithAccessAsync(organizationAbility.Id);
}
[Theory, BitAutoData]
public async Task GetOrganizationCollections_WithReadAllPermissions_GetsAllCollections(Organization organization, ICollection<Collection> collections, Guid userId, SutProvider<CollectionsController> sutProvider)
public async Task GetOrganizationCollections_WithReadAllPermissions_GetsAllCollections(
OrganizationAbility organizationAbility, List<Collection> collections, Guid userId, SutProvider<CollectionsController> sutProvider)
{
ArrangeOrganizationAbility(sutProvider, organizationAbility);
collections.ForEach(c => c.OrganizationId = organizationAbility.Id);
sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
sutProvider.GetDependency<IAuthorizationService>()
@ -153,26 +167,30 @@ public class CollectionsControllerTests
Arg.Is<IEnumerable<IAuthorizationRequirement>>(requirements =>
requirements.Cast<CollectionOperationRequirement>().All(operation =>
operation.Name == nameof(CollectionOperations.ReadAll)
&& operation.OrganizationId == organization.Id)))
&& operation.OrganizationId == organizationAbility.Id)))
.Returns(AuthorizationResult.Success());
sutProvider.GetDependency<ICollectionRepository>()
.GetManyByOrganizationIdAsync(organization.Id)
.GetManyByOrganizationIdAsync(organizationAbility.Id)
.Returns(collections);
var response = await sutProvider.Sut.Get(organization.Id);
var response = await sutProvider.Sut.Get(organizationAbility.Id);
await sutProvider.GetDependency<ICollectionRepository>().Received(1).GetManyByOrganizationIdAsync(organization.Id);
await sutProvider.GetDependency<ICollectionRepository>().Received(1).GetManyByOrganizationIdAsync(organizationAbility.Id);
Assert.Equal(collections.Count, response.Data.Count());
}
[Theory, BitAutoData]
public async Task GetOrganizationCollections_MissingReadAllPermissions_GetsManageableCollections(Organization organization, ICollection<CollectionDetails> collections, Guid userId, SutProvider<CollectionsController> sutProvider)
public async Task GetOrganizationCollections_MissingReadAllPermissions_GetsManageableCollections(
OrganizationAbility organizationAbility, List<CollectionDetails> collections, Guid userId, SutProvider<CollectionsController> sutProvider)
{
collections.First().OrganizationId = organization.Id;
collections.First().Manage = true;
collections.Skip(1).First().OrganizationId = organization.Id;
ArrangeOrganizationAbility(sutProvider, organizationAbility);
collections.ForEach(c => c.OrganizationId = organizationAbility.Id);
collections.ForEach(c => c.Manage = false);
var managedCollection = collections.First();
managedCollection.Manage = true;
sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
@ -183,7 +201,7 @@ public class CollectionsControllerTests
Arg.Is<IEnumerable<IAuthorizationRequirement>>(requirements =>
requirements.Cast<CollectionOperationRequirement>().All(operation =>
operation.Name == nameof(CollectionOperations.ReadAll)
&& operation.OrganizationId == organization.Id)))
&& operation.OrganizationId == organizationAbility.Id)))
.Returns(AuthorizationResult.Failed());
sutProvider.GetDependency<IAuthorizationService>()
@ -196,22 +214,27 @@ public class CollectionsControllerTests
.Returns(AuthorizationResult.Success());
sutProvider.GetDependency<ICollectionRepository>()
.GetManyByUserIdAsync(userId, true)
.GetManyByUserIdAsync(userId, false)
.Returns(collections);
var result = await sutProvider.Sut.Get(organization.Id);
var result = await sutProvider.Sut.Get(organizationAbility.Id);
await sutProvider.GetDependency<ICollectionRepository>().DidNotReceive().GetManyByOrganizationIdAsync(organization.Id);
await sutProvider.GetDependency<ICollectionRepository>().Received(1).GetManyByUserIdAsync(userId, true);
await sutProvider.GetDependency<ICollectionRepository>().DidNotReceive().GetManyByOrganizationIdAsync(organizationAbility.Id);
await sutProvider.GetDependency<ICollectionRepository>().Received(1).GetManyByUserIdAsync(userId, false);
Assert.Single(result.Data);
Assert.All(result.Data, c => Assert.Equal(organization.Id, c.OrganizationId));
Assert.All(result.Data, c => Assert.Equal(organizationAbility.Id, c.OrganizationId));
Assert.All(result.Data, c => Assert.Equal(managedCollection.Id, c.Id));
}
[Theory, BitAutoData]
public async Task DeleteMany_Success(Guid orgId, Collection collection1, Collection collection2, SutProvider<CollectionsController> sutProvider)
public async Task DeleteMany_Success(OrganizationAbility organizationAbility, Collection collection1, Collection collection2,
SutProvider<CollectionsController> sutProvider)
{
// Arrange
var orgId = organizationAbility.Id;
ArrangeOrganizationAbility(sutProvider, organizationAbility);
var model = new CollectionBulkDeleteRequestModel
{
Ids = new[] { collection1.Id, collection2.Id }
@ -251,9 +274,13 @@ public class CollectionsControllerTests
}
[Theory, BitAutoData]
public async Task DeleteMany_PermissionDenied_ThrowsNotFound(Guid orgId, Collection collection1, Collection collection2, SutProvider<CollectionsController> sutProvider)
public async Task DeleteMany_PermissionDenied_ThrowsNotFound(OrganizationAbility organizationAbility, Collection collection1,
Collection collection2, SutProvider<CollectionsController> sutProvider)
{
// Arrange
var orgId = organizationAbility.Id;
ArrangeOrganizationAbility(sutProvider, organizationAbility);
var model = new CollectionBulkDeleteRequestModel
{
Ids = new[] { collection1.Id, collection2.Id }
@ -292,9 +319,13 @@ public class CollectionsControllerTests
}
[Theory, BitAutoData]
public async Task PostBulkCollectionAccess_Success(User actingUser, ICollection<Collection> collections, SutProvider<CollectionsController> sutProvider)
public async Task PostBulkCollectionAccess_Success(User actingUser, List<Collection> collections,
OrganizationAbility organizationAbility, SutProvider<CollectionsController> sutProvider)
{
// Arrange
ArrangeOrganizationAbility(sutProvider, organizationAbility);
collections.ForEach(c => c.OrganizationId = organizationAbility.Id);
var userId = Guid.NewGuid();
var groupId = Guid.NewGuid();
var model = new BulkCollectionAccessRequestModel
@ -321,7 +352,7 @@ public class CollectionsControllerTests
IEnumerable<Collection> ExpectedCollectionAccess() => Arg.Is<IEnumerable<Collection>>(cols => cols.SequenceEqual(collections));
// Act
await sutProvider.Sut.PostBulkCollectionAccess(model);
await sutProvider.Sut.PostBulkCollectionAccess(organizationAbility.Id, model);
// Assert
await sutProvider.GetDependency<IAuthorizationService>().Received().AuthorizeAsync(
@ -338,8 +369,13 @@ public class CollectionsControllerTests
}
[Theory, BitAutoData]
public async Task PostBulkCollectionAccess_CollectionsNotFound_Throws(User actingUser, ICollection<Collection> collections, SutProvider<CollectionsController> sutProvider)
public async Task PostBulkCollectionAccess_CollectionsNotFound_Throws(User actingUser,
OrganizationAbility organizationAbility, List<Collection> collections,
SutProvider<CollectionsController> sutProvider)
{
ArrangeOrganizationAbility(sutProvider, organizationAbility);
collections.ForEach(c => c.OrganizationId = organizationAbility.Id);
var userId = Guid.NewGuid();
var groupId = Guid.NewGuid();
var model = new BulkCollectionAccessRequestModel
@ -356,7 +392,8 @@ public class CollectionsControllerTests
.GetManyByManyIdsAsync(model.CollectionIds)
.Returns(collections.Skip(1).ToList());
var exception = await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PostBulkCollectionAccess(model));
var exception = await Assert.ThrowsAsync<NotFoundException>(
() => sutProvider.Sut.PostBulkCollectionAccess(organizationAbility.Id, model));
Assert.Equal("One or more collections not found.", exception.Message);
await sutProvider.GetDependency<IAuthorizationService>().DidNotReceiveWithAnyArgs().AuthorizeAsync(
@ -369,8 +406,81 @@ public class CollectionsControllerTests
}
[Theory, BitAutoData]
public async Task PostBulkCollectionAccess_AccessDenied_Throws(User actingUser, ICollection<Collection> collections, SutProvider<CollectionsController> sutProvider)
public async Task PostBulkCollectionAccess_CollectionsBelongToDifferentOrganizations_Throws(User actingUser,
OrganizationAbility organizationAbility, List<Collection> collections,
SutProvider<CollectionsController> sutProvider)
{
ArrangeOrganizationAbility(sutProvider, organizationAbility);
// First collection has a different orgId
collections.Skip(1).ToList().ForEach(c => c.OrganizationId = organizationAbility.Id);
var userId = Guid.NewGuid();
var groupId = Guid.NewGuid();
var model = new BulkCollectionAccessRequestModel
{
CollectionIds = collections.Select(c => c.Id),
Users = new[] { new SelectionReadOnlyRequestModel { Id = userId, Manage = true } },
Groups = new[] { new SelectionReadOnlyRequestModel { Id = groupId, ReadOnly = true } },
};
sutProvider.GetDependency<ICurrentContext>()
.UserId.Returns(actingUser.Id);
sutProvider.GetDependency<ICollectionRepository>()
.GetManyByManyIdsAsync(model.CollectionIds)
.Returns(collections);
var exception = await Assert.ThrowsAsync<NotFoundException>(
() => sutProvider.Sut.PostBulkCollectionAccess(organizationAbility.Id, model));
Assert.Equal("One or more collections not found.", exception.Message);
await sutProvider.GetDependency<IAuthorizationService>().DidNotReceiveWithAnyArgs().AuthorizeAsync(
Arg.Any<ClaimsPrincipal>(),
Arg.Any<IEnumerable<Collection>>(),
Arg.Any<IEnumerable<IAuthorizationRequirement>>()
);
await sutProvider.GetDependency<IBulkAddCollectionAccessCommand>().DidNotReceiveWithAnyArgs()
.AddAccessAsync(default, default, default);
}
[Theory, BitAutoData]
public async Task PostBulkCollectionAccess_FlexibleCollectionsDisabled_Throws(OrganizationAbility organizationAbility, List<Collection> collections,
SutProvider<CollectionsController> sutProvider)
{
organizationAbility.FlexibleCollections = false;
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organizationAbility.Id)
.Returns(organizationAbility);
var userId = Guid.NewGuid();
var groupId = Guid.NewGuid();
var model = new BulkCollectionAccessRequestModel
{
CollectionIds = collections.Select(c => c.Id),
Users = new[] { new SelectionReadOnlyRequestModel { Id = userId, Manage = true } },
Groups = new[] { new SelectionReadOnlyRequestModel { Id = groupId, ReadOnly = true } },
};
var exception = await Assert.ThrowsAsync<NotFoundException>(
() => sutProvider.Sut.PostBulkCollectionAccess(organizationAbility.Id, model));
Assert.Equal("Feature disabled.", exception.Message);
await sutProvider.GetDependency<IAuthorizationService>().DidNotReceiveWithAnyArgs().AuthorizeAsync(
Arg.Any<ClaimsPrincipal>(),
Arg.Any<IEnumerable<Collection>>(),
Arg.Any<IEnumerable<IAuthorizationRequirement>>()
);
await sutProvider.GetDependency<IBulkAddCollectionAccessCommand>().DidNotReceiveWithAnyArgs()
.AddAccessAsync(default, default, default);
}
[Theory, BitAutoData]
public async Task PostBulkCollectionAccess_AccessDenied_Throws(User actingUser, List<Collection> collections,
OrganizationAbility organizationAbility, SutProvider<CollectionsController> sutProvider)
{
ArrangeOrganizationAbility(sutProvider, organizationAbility);
collections.ForEach(c => c.OrganizationId = organizationAbility.Id);
var userId = Guid.NewGuid();
var groupId = Guid.NewGuid();
var model = new BulkCollectionAccessRequestModel
@ -396,7 +506,7 @@ public class CollectionsControllerTests
IEnumerable<Collection> ExpectedCollectionAccess() => Arg.Is<IEnumerable<Collection>>(cols => cols.SequenceEqual(collections));
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PostBulkCollectionAccess(model));
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.PostBulkCollectionAccess(organizationAbility.Id, model));
await sutProvider.GetDependency<IAuthorizationService>().Received().AuthorizeAsync(
Arg.Any<ClaimsPrincipal>(),
ExpectedCollectionAccess(),
@ -406,4 +516,12 @@ public class CollectionsControllerTests
await sutProvider.GetDependency<IBulkAddCollectionAccessCommand>().DidNotReceiveWithAnyArgs()
.AddAccessAsync(default, default, default);
}
private void ArrangeOrganizationAbility(SutProvider<CollectionsController> sutProvider, OrganizationAbility organizationAbility)
{
organizationAbility.FlexibleCollections = true;
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organizationAbility.Id)
.Returns(organizationAbility);
}
}