[PM-3478] Refactor OrganizationUser api (#4752)

* Add OrganizationUserMiniDetails endpoint, models and authorization * Restrict access to current OrganizationUserUserDetails endpoint Both are behind feature flags
2025-06-30 07:36:14 -05:00 · 2024-10-01 07:14:16 +10:00
parent 7368e57b7b
commit c94a084c86
16 changed files with 514 additions and 211 deletions
--- a/test/Api.Test/Vault/AuthorizationHandlers/OrganizationUserAuthorizationHandlerTests.cs
+++ b/test/Api.Test/Vault/AuthorizationHandlers/OrganizationUserAuthorizationHandlerTests.cs
@ -1,122 +0,0 @@
-using System.Security.Claims;
-using Bit.Api.Vault.AuthorizationHandlers.OrganizationUsers;
-using Bit.Core.Context;
-using Bit.Core.Enums;
-using Bit.Core.Models.Data;
-using Bit.Test.Common.AutoFixture;
-using Bit.Test.Common.AutoFixture.Attributes;
-using Microsoft.AspNetCore.Authorization;
-using NSubstitute;
-using Xunit;
-
-namespace Bit.Api.Test.Vault.AuthorizationHandlers;
-
-[SutProviderCustomize]
-public class OrganizationUserAuthorizationHandlerTests
-{
-    [Theory]
-    [BitAutoData(OrganizationUserType.Admin)]
-    [BitAutoData(OrganizationUserType.Owner)]
-    [BitAutoData(OrganizationUserType.User)]
-    [BitAutoData(OrganizationUserType.Custom)]
-    public async Task CanReadAllAsync_WhenMemberOfOrg_Success(
-        OrganizationUserType userType,
-        Guid userId, SutProvider<OrganizationUserAuthorizationHandler> sutProvider,
-        CurrentContextOrganization organization)
-    {
-        organization.Type = userType;
-        organization.Permissions = new Permissions();
-
-        var context = new AuthorizationHandlerContext(
-            new[] { OrganizationUserOperations.ReadAll(organization.Id) },
-            new ClaimsPrincipal(),
-            null);
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
-        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-
-        await sutProvider.Sut.HandleAsync(context);
-
-        Assert.True(context.HasSucceeded);
-    }
-
-    [Theory, BitAutoData]
-    public async Task CanReadAllAsync_WithProviderUser_Success(
-        Guid userId,
-        SutProvider<OrganizationUserAuthorizationHandler> sutProvider, CurrentContextOrganization organization)
-    {
-        organization.Type = OrganizationUserType.User;
-        organization.Permissions = new Permissions();
-
-        var context = new AuthorizationHandlerContext(
-            new[] { OrganizationUserOperations.ReadAll(organization.Id) },
-            new ClaimsPrincipal(),
-            null);
-
-        sutProvider.GetDependency<ICurrentContext>()
-            .UserId
-            .Returns(userId);
-        sutProvider.GetDependency<ICurrentContext>()
-            .ProviderUserForOrgAsync(organization.Id)
-            .Returns(true);
-
-        await sutProvider.Sut.HandleAsync(context);
-
-        Assert.True(context.HasSucceeded);
-    }
-
-    [Theory, BitAutoData]
-    public async Task HandleRequirementAsync_WhenMissingOrgAccess_NoSuccess(
-        Guid userId,
-        CurrentContextOrganization organization,
-        SutProvider<OrganizationUserAuthorizationHandler> sutProvider)
-    {
-        var context = new AuthorizationHandlerContext(
-            new[] { OrganizationUserOperations.ReadAll(organization.Id) },
-            new ClaimsPrincipal(),
-            null
-        );
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
-        sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns((CurrentContextOrganization)null);
-        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
-
-        await sutProvider.Sut.HandleAsync(context);
-        Assert.False(context.HasSucceeded);
-    }
-
-    [Theory, BitAutoData]
-    public async Task HandleRequirementAsync_MissingUserId_Failure(
-        Guid organizationId,
-        SutProvider<OrganizationUserAuthorizationHandler> sutProvider)
-    {
-        var context = new AuthorizationHandlerContext(
-            new[] { OrganizationUserOperations.ReadAll(organizationId) },
-            new ClaimsPrincipal(),
-            null
-        );
-
-        // Simulate missing user id
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns((Guid?)null);
-
-        await sutProvider.Sut.HandleAsync(context);
-        Assert.True(context.HasFailed);
-    }
-
-    [Theory, BitAutoData]
-    public async Task HandleRequirementAsync_NoSpecifiedOrgId_Failure(
-        SutProvider<OrganizationUserAuthorizationHandler> sutProvider)
-    {
-        var context = new AuthorizationHandlerContext(
-            new[] { OrganizationUserOperations.ReadAll(default) },
-            new ClaimsPrincipal(),
-            null
-        );
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(new Guid());
-
-        await sutProvider.Sut.HandleAsync(context);
-
-        Assert.True(context.HasFailed);
-    }
-}
--- a/test/Core.Test/AdminConsole/Authorization/OrganizationUserUserDetailsAuthorizationHandlerTests.cs
+++ b/test/Core.Test/AdminConsole/Authorization/OrganizationUserUserDetailsAuthorizationHandlerTests.cs
@ -0,0 +1,176 @@
+using System.Security.Claims;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Services;
+using Bit.Core.Test.AdminConsole.AutoFixture;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.Authorization;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.Authorization;
+
+[SutProviderCustomize]
+public class OrganizationUserUserDetailsAuthorizationHandlerTests
+{
+    [Theory, CurrentContextOrganizationCustomize]
+    [BitAutoData(OrganizationUserType.Admin)]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Custom)]
+    public async Task ReadAll_Admins_Success(
+        OrganizationUserType userType,
+        CurrentContextOrganization organization,
+        SutProvider<OrganizationUserUserDetailsAuthorizationHandler> sutProvider)
+    {
+        EnableFeatureFlag(sutProvider);
+        organization.Type = userType;
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+
+        if (userType == OrganizationUserType.Custom)
+        {
+            organization.Permissions.ManageUsers = true;
+        }
+
+        var context = new AuthorizationHandlerContext(
+            new[] { OrganizationUserUserDetailsOperations.ReadAll },
+            new ClaimsPrincipal(),
+            new OrganizationScope(organization.Id));
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, BitAutoData, CurrentContextOrganizationCustomize]
+    public async Task ReadAll_ProviderUser_Success(
+        CurrentContextOrganization organization,
+        SutProvider<OrganizationUserUserDetailsAuthorizationHandler> sutProvider)
+    {
+        EnableFeatureFlag(sutProvider);
+        organization.Type = OrganizationUserType.User;
+        sutProvider.GetDependency<ICurrentContext>()
+            .ProviderUserForOrgAsync(organization.Id)
+            .Returns(true);
+
+        var context = new AuthorizationHandlerContext(
+            new[] { OrganizationUserUserDetailsOperations.ReadAll },
+            new ClaimsPrincipal(),
+            new OrganizationScope(organization.Id));
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, BitAutoData, CurrentContextOrganizationCustomize]
+    public async Task ReadAll_User_NoSuccess(
+        CurrentContextOrganization organization,
+        SutProvider<OrganizationUserUserDetailsAuthorizationHandler> sutProvider)
+    {
+        EnableFeatureFlag(sutProvider);
+        organization.Type = OrganizationUserType.User;
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns(organization);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
+
+        var context = new AuthorizationHandlerContext(
+            new[] { OrganizationUserUserDetailsOperations.ReadAll },
+            new ClaimsPrincipal(),
+            new OrganizationScope(organization.Id)
+        );
+
+        await sutProvider.Sut.HandleAsync(context);
+        Assert.False(context.HasSucceeded);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ReadAll_NotMember_NoSuccess(
+        CurrentContextOrganization organization,
+        SutProvider<OrganizationUserUserDetailsAuthorizationHandler> sutProvider)
+    {
+        EnableFeatureFlag(sutProvider);
+        var context = new AuthorizationHandlerContext(
+            new[] { OrganizationUserUserDetailsOperations.ReadAll },
+            new ClaimsPrincipal(),
+            new OrganizationScope(organization.Id)
+        );
+
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns((CurrentContextOrganization)null);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
+
+        await sutProvider.Sut.HandleAsync(context);
+        Assert.False(context.HasSucceeded);
+    }
+
+    private void EnableFeatureFlag(SutProvider<OrganizationUserUserDetailsAuthorizationHandler> sutProvider)
+    {
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.Pm3478RefactorOrganizationUserApi)
+            .Returns(true);
+    }
+
+    // TESTS WITH FLAG DISABLED - TO BE DELETED IN FLAG CLEANUP
+
+    [Theory, CurrentContextOrganizationCustomize]
+    [BitAutoData(OrganizationUserType.Admin)]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.User)]
+    [BitAutoData(OrganizationUserType.Custom)]
+    public async Task FlagDisabled_ReadAll_AnyMemberOfOrg_Success(
+        OrganizationUserType userType,
+        Guid userId, SutProvider<OrganizationUserUserDetailsAuthorizationHandler> sutProvider,
+        CurrentContextOrganization organization)
+    {
+        organization.Type = userType;
+
+        var context = new AuthorizationHandlerContext(
+            new[] { OrganizationUserUserDetailsOperations.ReadAll },
+            new ClaimsPrincipal(),
+            new OrganizationScope(organization.Id));
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, BitAutoData, CurrentContextOrganizationCustomize]
+    public async Task FlagDisabled_ReadAll_ProviderUser_Success(
+        CurrentContextOrganization organization,
+        SutProvider<OrganizationUserUserDetailsAuthorizationHandler> sutProvider)
+    {
+        organization.Type = OrganizationUserType.User;
+        sutProvider.GetDependency<ICurrentContext>()
+            .ProviderUserForOrgAsync(organization.Id)
+            .Returns(true);
+
+        var context = new AuthorizationHandlerContext(
+            new[] { OrganizationUserUserDetailsOperations.ReadAll },
+            new ClaimsPrincipal(),
+            new OrganizationScope(organization.Id));
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, BitAutoData]
+    public async Task FlagDisabled_ReadAll_NotMember_NoSuccess(
+        CurrentContextOrganization organization,
+        SutProvider<OrganizationUserUserDetailsAuthorizationHandler> sutProvider)
+    {
+        var context = new AuthorizationHandlerContext(
+            new[] { OrganizationUserUserDetailsOperations.ReadAll },
+            new ClaimsPrincipal(),
+            new OrganizationScope(organization.Id)
+        );
+
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns((CurrentContextOrganization)null);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
+
+        await sutProvider.Sut.HandleAsync(context);
+        Assert.False(context.HasSucceeded);
+    }
+}
--- a/test/Core.Test/AdminConsole/Authorization/OrganizationUserUserMiniDetailsAuthorizationHandlerTests.cs
+++ b/test/Core.Test/AdminConsole/Authorization/OrganizationUserUserMiniDetailsAuthorizationHandlerTests.cs
@ -0,0 +1,80 @@
+using System.Security.Claims;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Test.AdminConsole.AutoFixture;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.Authorization;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.Authorization;
+
+[SutProviderCustomize]
+public class OrganizationUserUserMiniDetailsAuthorizationHandlerTests
+{
+    [Theory, CurrentContextOrganizationCustomize]
+    [BitAutoData(OrganizationUserType.Admin)]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Custom)]
+    [BitAutoData(OrganizationUserType.User)]
+    public async Task ReadAll_AnyOrganizationMember_Success(
+        OrganizationUserType userType,
+        CurrentContextOrganization organization,
+        SutProvider<OrganizationUserUserMiniDetailsAuthorizationHandler> sutProvider)
+    {
+        organization.Type = userType;
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+
+        var context = new AuthorizationHandlerContext(
+            new[] { OrganizationUserUserMiniDetailsOperations.ReadAll },
+            new ClaimsPrincipal(),
+            new OrganizationScope(organization.Id));
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, BitAutoData, CurrentContextOrganizationCustomize]
+    public async Task ReadAll_ProviderUser_Success(
+        CurrentContextOrganization organization,
+        SutProvider<OrganizationUserUserMiniDetailsAuthorizationHandler> sutProvider)
+    {
+        organization.Type = OrganizationUserType.User;
+        sutProvider.GetDependency<ICurrentContext>()
+            .GetOrganization(organization.Id)
+            .Returns((CurrentContextOrganization)null);
+        sutProvider.GetDependency<ICurrentContext>()
+            .ProviderUserForOrgAsync(organization.Id)
+            .Returns(true);
+
+        var context = new AuthorizationHandlerContext(
+            new[] { OrganizationUserUserMiniDetailsOperations.ReadAll },
+            new ClaimsPrincipal(),
+            new OrganizationScope(organization.Id));
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, BitAutoData, CurrentContextOrganizationCustomize]
+    public async Task ReadAll_NotMember_NoSuccess(
+        CurrentContextOrganization organization,
+        SutProvider<OrganizationUserUserMiniDetailsAuthorizationHandler> sutProvider)
+    {
+        var context = new AuthorizationHandlerContext(
+            new[] { OrganizationUserUserMiniDetailsOperations.ReadAll },
+            new ClaimsPrincipal(),
+            new OrganizationScope(organization.Id)
+        );
+
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns((CurrentContextOrganization)null);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
+
+        await sutProvider.Sut.HandleAsync(context);
+        Assert.False(context.HasSucceeded);
+    }
+}
--- a/test/Core.Test/AdminConsole/AutoFixture/CurrentContextOrganizationFixtures.cs
+++ b/test/Core.Test/AdminConsole/AutoFixture/CurrentContextOrganizationFixtures.cs
@ -0,0 +1,40 @@
+using AutoFixture;
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data;
+using Bit.Test.Common.AutoFixture.Attributes;
+
+namespace Bit.Core.Test.AdminConsole.AutoFixture;
+
+public class CurrentContextOrganizationCustomization : ICustomization
+{
+    public Guid Id { get; set; }
+    public OrganizationUserType Type { get; set; }
+    public Permissions Permissions { get; set; } = new();
+    public bool AccessSecretsManager { get; set; }
+
+    public void Customize(IFixture fixture)
+    {
+        fixture.Customize<CurrentContextOrganization>(composer => composer
+            .With(o => o.Id, Id)
+            .With(o => o.Type, Type)
+            .With(o => o.Permissions, Permissions)
+            .With(o => o.AccessSecretsManager, AccessSecretsManager));
+    }
+}
+
+public class CurrentContextOrganizationCustomizeAttribute : BitCustomizeAttribute
+{
+    public Guid Id { get; set; }
+    public OrganizationUserType Type { get; set; } = OrganizationUserType.User;
+    public Permissions Permissions { get; set; } = new();
+    public bool AccessSecretsManager { get; set; } = false;
+
+    public override ICustomization GetCustomization() => new CurrentContextOrganizationCustomization()
+    {
+        Id = Id,
+        Type = Type,
+        Permissions = Permissions,
+        AccessSecretsManager = AccessSecretsManager
+    };
+}