[PM-3478] Refactor OrganizationUser api (#4752)

* Add OrganizationUserMiniDetails endpoint, models and authorization * Restrict access to current OrganizationUserUserDetails endpoint Both are behind feature flags
2025-07-01 08:02:49 -05:00 · 2024-10-01 07:14:16 +10:00
parent 7368e57b7b
commit c94a084c86
16 changed files with 514 additions and 211 deletions
--- a/test/Core.Test/AdminConsole/Authorization/OrganizationUserUserDetailsAuthorizationHandlerTests.cs
+++ b/test/Core.Test/AdminConsole/Authorization/OrganizationUserUserDetailsAuthorizationHandlerTests.cs
@ -0,0 +1,176 @@
+using System.Security.Claims;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Services;
+using Bit.Core.Test.AdminConsole.AutoFixture;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.Authorization;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.Authorization;
+
+[SutProviderCustomize]
+public class OrganizationUserUserDetailsAuthorizationHandlerTests
+{
+    [Theory, CurrentContextOrganizationCustomize]
+    [BitAutoData(OrganizationUserType.Admin)]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Custom)]
+    public async Task ReadAll_Admins_Success(
+        OrganizationUserType userType,
+        CurrentContextOrganization organization,
+        SutProvider<OrganizationUserUserDetailsAuthorizationHandler> sutProvider)
+    {
+        EnableFeatureFlag(sutProvider);
+        organization.Type = userType;
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+
+        if (userType == OrganizationUserType.Custom)
+        {
+            organization.Permissions.ManageUsers = true;
+        }
+
+        var context = new AuthorizationHandlerContext(
+            new[] { OrganizationUserUserDetailsOperations.ReadAll },
+            new ClaimsPrincipal(),
+            new OrganizationScope(organization.Id));
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, BitAutoData, CurrentContextOrganizationCustomize]
+    public async Task ReadAll_ProviderUser_Success(
+        CurrentContextOrganization organization,
+        SutProvider<OrganizationUserUserDetailsAuthorizationHandler> sutProvider)
+    {
+        EnableFeatureFlag(sutProvider);
+        organization.Type = OrganizationUserType.User;
+        sutProvider.GetDependency<ICurrentContext>()
+            .ProviderUserForOrgAsync(organization.Id)
+            .Returns(true);
+
+        var context = new AuthorizationHandlerContext(
+            new[] { OrganizationUserUserDetailsOperations.ReadAll },
+            new ClaimsPrincipal(),
+            new OrganizationScope(organization.Id));
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, BitAutoData, CurrentContextOrganizationCustomize]
+    public async Task ReadAll_User_NoSuccess(
+        CurrentContextOrganization organization,
+        SutProvider<OrganizationUserUserDetailsAuthorizationHandler> sutProvider)
+    {
+        EnableFeatureFlag(sutProvider);
+        organization.Type = OrganizationUserType.User;
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns(organization);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
+
+        var context = new AuthorizationHandlerContext(
+            new[] { OrganizationUserUserDetailsOperations.ReadAll },
+            new ClaimsPrincipal(),
+            new OrganizationScope(organization.Id)
+        );
+
+        await sutProvider.Sut.HandleAsync(context);
+        Assert.False(context.HasSucceeded);
+    }
+
+    [Theory, BitAutoData]
+    public async Task ReadAll_NotMember_NoSuccess(
+        CurrentContextOrganization organization,
+        SutProvider<OrganizationUserUserDetailsAuthorizationHandler> sutProvider)
+    {
+        EnableFeatureFlag(sutProvider);
+        var context = new AuthorizationHandlerContext(
+            new[] { OrganizationUserUserDetailsOperations.ReadAll },
+            new ClaimsPrincipal(),
+            new OrganizationScope(organization.Id)
+        );
+
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns((CurrentContextOrganization)null);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
+
+        await sutProvider.Sut.HandleAsync(context);
+        Assert.False(context.HasSucceeded);
+    }
+
+    private void EnableFeatureFlag(SutProvider<OrganizationUserUserDetailsAuthorizationHandler> sutProvider)
+    {
+        sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.Pm3478RefactorOrganizationUserApi)
+            .Returns(true);
+    }
+
+    // TESTS WITH FLAG DISABLED - TO BE DELETED IN FLAG CLEANUP
+
+    [Theory, CurrentContextOrganizationCustomize]
+    [BitAutoData(OrganizationUserType.Admin)]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.User)]
+    [BitAutoData(OrganizationUserType.Custom)]
+    public async Task FlagDisabled_ReadAll_AnyMemberOfOrg_Success(
+        OrganizationUserType userType,
+        Guid userId, SutProvider<OrganizationUserUserDetailsAuthorizationHandler> sutProvider,
+        CurrentContextOrganization organization)
+    {
+        organization.Type = userType;
+
+        var context = new AuthorizationHandlerContext(
+            new[] { OrganizationUserUserDetailsOperations.ReadAll },
+            new ClaimsPrincipal(),
+            new OrganizationScope(organization.Id));
+
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, BitAutoData, CurrentContextOrganizationCustomize]
+    public async Task FlagDisabled_ReadAll_ProviderUser_Success(
+        CurrentContextOrganization organization,
+        SutProvider<OrganizationUserUserDetailsAuthorizationHandler> sutProvider)
+    {
+        organization.Type = OrganizationUserType.User;
+        sutProvider.GetDependency<ICurrentContext>()
+            .ProviderUserForOrgAsync(organization.Id)
+            .Returns(true);
+
+        var context = new AuthorizationHandlerContext(
+            new[] { OrganizationUserUserDetailsOperations.ReadAll },
+            new ClaimsPrincipal(),
+            new OrganizationScope(organization.Id));
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, BitAutoData]
+    public async Task FlagDisabled_ReadAll_NotMember_NoSuccess(
+        CurrentContextOrganization organization,
+        SutProvider<OrganizationUserUserDetailsAuthorizationHandler> sutProvider)
+    {
+        var context = new AuthorizationHandlerContext(
+            new[] { OrganizationUserUserDetailsOperations.ReadAll },
+            new ClaimsPrincipal(),
+            new OrganizationScope(organization.Id)
+        );
+
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns((CurrentContextOrganization)null);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
+
+        await sutProvider.Sut.HandleAsync(context);
+        Assert.False(context.HasSucceeded);
+    }
+}
--- a/test/Core.Test/AdminConsole/Authorization/OrganizationUserUserMiniDetailsAuthorizationHandlerTests.cs
+++ b/test/Core.Test/AdminConsole/Authorization/OrganizationUserUserMiniDetailsAuthorizationHandlerTests.cs
@ -0,0 +1,80 @@
+using System.Security.Claims;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Test.AdminConsole.AutoFixture;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.Authorization;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.Authorization;
+
+[SutProviderCustomize]
+public class OrganizationUserUserMiniDetailsAuthorizationHandlerTests
+{
+    [Theory, CurrentContextOrganizationCustomize]
+    [BitAutoData(OrganizationUserType.Admin)]
+    [BitAutoData(OrganizationUserType.Owner)]
+    [BitAutoData(OrganizationUserType.Custom)]
+    [BitAutoData(OrganizationUserType.User)]
+    public async Task ReadAll_AnyOrganizationMember_Success(
+        OrganizationUserType userType,
+        CurrentContextOrganization organization,
+        SutProvider<OrganizationUserUserMiniDetailsAuthorizationHandler> sutProvider)
+    {
+        organization.Type = userType;
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
+
+        var context = new AuthorizationHandlerContext(
+            new[] { OrganizationUserUserMiniDetailsOperations.ReadAll },
+            new ClaimsPrincipal(),
+            new OrganizationScope(organization.Id));
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, BitAutoData, CurrentContextOrganizationCustomize]
+    public async Task ReadAll_ProviderUser_Success(
+        CurrentContextOrganization organization,
+        SutProvider<OrganizationUserUserMiniDetailsAuthorizationHandler> sutProvider)
+    {
+        organization.Type = OrganizationUserType.User;
+        sutProvider.GetDependency<ICurrentContext>()
+            .GetOrganization(organization.Id)
+            .Returns((CurrentContextOrganization)null);
+        sutProvider.GetDependency<ICurrentContext>()
+            .ProviderUserForOrgAsync(organization.Id)
+            .Returns(true);
+
+        var context = new AuthorizationHandlerContext(
+            new[] { OrganizationUserUserMiniDetailsOperations.ReadAll },
+            new ClaimsPrincipal(),
+            new OrganizationScope(organization.Id));
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, BitAutoData, CurrentContextOrganizationCustomize]
+    public async Task ReadAll_NotMember_NoSuccess(
+        CurrentContextOrganization organization,
+        SutProvider<OrganizationUserUserMiniDetailsAuthorizationHandler> sutProvider)
+    {
+        var context = new AuthorizationHandlerContext(
+            new[] { OrganizationUserUserMiniDetailsOperations.ReadAll },
+            new ClaimsPrincipal(),
+            new OrganizationScope(organization.Id)
+        );
+
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns((CurrentContextOrganization)null);
+        sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
+
+        await sutProvider.Sut.HandleAsync(context);
+        Assert.False(context.HasSucceeded);
+    }
+}
--- a/test/Core.Test/AdminConsole/AutoFixture/CurrentContextOrganizationFixtures.cs
+++ b/test/Core.Test/AdminConsole/AutoFixture/CurrentContextOrganizationFixtures.cs
@ -0,0 +1,40 @@
+using AutoFixture;
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data;
+using Bit.Test.Common.AutoFixture.Attributes;
+
+namespace Bit.Core.Test.AdminConsole.AutoFixture;
+
+public class CurrentContextOrganizationCustomization : ICustomization
+{
+    public Guid Id { get; set; }
+    public OrganizationUserType Type { get; set; }
+    public Permissions Permissions { get; set; } = new();
+    public bool AccessSecretsManager { get; set; }
+
+    public void Customize(IFixture fixture)
+    {
+        fixture.Customize<CurrentContextOrganization>(composer => composer
+            .With(o => o.Id, Id)
+            .With(o => o.Type, Type)
+            .With(o => o.Permissions, Permissions)
+            .With(o => o.AccessSecretsManager, AccessSecretsManager));
+    }
+}
+
+public class CurrentContextOrganizationCustomizeAttribute : BitCustomizeAttribute
+{
+    public Guid Id { get; set; }
+    public OrganizationUserType Type { get; set; } = OrganizationUserType.User;
+    public Permissions Permissions { get; set; } = new();
+    public bool AccessSecretsManager { get; set; } = false;
+
+    public override ICustomization GetCustomization() => new CurrentContextOrganizationCustomization()
+    {
+        Id = Id,
+        Type = Type,
+        Permissions = Permissions,
+        AccessSecretsManager = AccessSecretsManager
+    };
+}