nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-06-30 15:42:48 -05:00
Code Activity

[SM-788] Extract authorization from secret delete command (#3003)

Browse Source 
* Extract authorization from secret delete command
This commit is contained in:
Thomas Avery
2023-06-27 13:12:34 -05:00
committed by GitHub
parent c1723d9e90
commit d020c49c0e
9 changed files with 287 additions and 196 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
test/Api.IntegrationTest/SecretsManager/Controllers/SecretsControllerTests.cs
View File

@ -644,10 +644,28 @@ public class SecretsControllerTests : IClassFixture<ApiApplicationFactory>, IAsy
});
var secretIds = new[] { secret.Id };
var response = await _client.PostAsJsonAsync($"/secrets/{org.Id}/delete", secretIds);
var response = await _client.PostAsJsonAsync($"/secrets/delete", secretIds);
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
}
[Fact]
public async Task Delete_MissingAccessPolicy_AccessDenied()
{
var (org, _) = await _organizationHelper.Initialize(true, true);
var (email, _) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
await LoginAsync(email);
var (_, secretIds) = await CreateSecretsAsync(org.Id, 3);
var response = await _client.PostAsync("/secrets/delete", JsonContent.Create(secretIds));
var results = await response.Content.ReadFromJsonAsync<ListResponseModel<BulkDeleteResponseModel>>();
Assert.NotNull(results);
Assert.Equal(secretIds.OrderBy(x => x),
results!.Data.Select(x => x.Id).OrderBy(x => x));
Assert.All(results.Data, item => Assert.Equal("access denied", item.Error));
}
[Theory]
[InlineData(PermissionType.RunAsAdmin)]
[InlineData(PermissionType.RunAsUserWithPermission)]
@ -656,12 +674,7 @@ public class SecretsControllerTests : IClassFixture<ApiApplicationFactory>, IAsy
var (org, _) = await _organizationHelper.Initialize(true, true);
await LoginAsync(_email);
var project = await _projectRepository.CreateAsync(new Project()
{
Id = new Guid(),
OrganizationId = org.Id,
Name = _mockEncryptedString
});
var (project, secretIds) = await CreateSecretsAsync(org.Id, 3);
if (permissionType == PermissionType.RunAsUserWithPermission)
{
@ -678,21 +691,6 @@ public class SecretsControllerTests : IClassFixture<ApiApplicationFactory>, IAsy
await _accessPolicyRepository.CreateManyAsync(accessPolicies);
}
var secretIds = new List<Guid>();
for (var i = 0; i < 3; i++)
{
var secret = await _secretRepository.CreateAsync(new Secret
{
OrganizationId = org.Id,
Key = _mockEncryptedString,
Value = _mockEncryptedString,
Note = _mockEncryptedString,
Projects = new List<Project>() { project }
});
secretIds.Add(secret.Id);
}
var response = await _client.PostAsJsonAsync($"/secrets/delete", secretIds);
response.EnsureSuccessStatusCode();
@ -710,4 +708,30 @@ public class SecretsControllerTests : IClassFixture<ApiApplicationFactory>, IAsy
var secrets = await _secretRepository.GetManyByIds(secretIds);
Assert.Empty(secrets);
}
private async Task<(Project Project, List<Guid> secretIds)> CreateSecretsAsync(Guid orgId, int numberToCreate = 3)
{
var project = await _projectRepository.CreateAsync(new Project
{
Id = new Guid(),
OrganizationId = orgId,
Name = _mockEncryptedString
});
var secretIds = new List<Guid>();
for (var i = 0; i < numberToCreate; i++)
{
var secret = await _secretRepository.CreateAsync(new Secret
{
OrganizationId = orgId,
Key = _mockEncryptedString,
Value = _mockEncryptedString,
Note = _mockEncryptedString,
Projects = new List<Project>() { project }
});
secretIds.Add(secret.Id);
}
return (project, secretIds);
}
}