nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-05-21 03:24:31 -05:00
Code

[AC-2170] Group modal - limit admin access - collections tab (#3998)

Browse Source 
* Update GroupsController POST and PUT to respect collection management settings
This commit is contained in:
Thomas Rittson 2024-05-02 09:55:16 +10:00 committed by GitHub
parent f0b9391249
commit e302ee1520
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
3 changed files with 347 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

89
src/Api/AdminConsole/Controllers/GroupsController.cs
View File

@ -2,6 +2,7 @@
using Bit.Api.AdminConsole.Models.Response; using Bit.Api.AdminConsole.Models.Response;
using Bit.Api.Models.Response; using Bit.Api.Models.Response;
using Bit.Api.Utilities; using Bit.Api.Utilities;
using Bit.Api.Vault.AuthorizationHandlers.Collections;
using Bit.Api.Vault.AuthorizationHandlers.Groups; using Bit.Api.Vault.AuthorizationHandlers.Groups;
using Bit.Core; using Bit.Core;
using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces; using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
@ -32,6 +33,7 @@ public class GroupsController : Controller
private readonly IUserService _userService; private readonly IUserService _userService;
private readonly IFeatureService _featureService; private readonly IFeatureService _featureService;
private readonly IOrganizationUserRepository _organizationUserRepository; private readonly IOrganizationUserRepository _organizationUserRepository;
private readonly ICollectionRepository _collectionRepository;
public GroupsController( public GroupsController(
IGroupRepository groupRepository, IGroupRepository groupRepository,
@ -45,7 +47,8 @@ public class GroupsController : Controller
IApplicationCacheService applicationCacheService, IApplicationCacheService applicationCacheService,
IUserService userService, IUserService userService,
IFeatureService featureService, IFeatureService featureService,
IOrganizationUserRepository organizationUserRepository) IOrganizationUserRepository organizationUserRepository,
ICollectionRepository collectionRepository)
{ {
_groupRepository = groupRepository; _groupRepository = groupRepository;
_groupService = groupService; _groupService = groupService;
@ -59,6 +62,7 @@ public class GroupsController : Controller
_userService = userService; _userService = userService;
_featureService = featureService; _featureService = featureService;
_organizationUserRepository = organizationUserRepository; _organizationUserRepository = organizationUserRepository;
_collectionRepository = collectionRepository;
} }
[HttpGet("{id}")] [HttpGet("{id}")]
@ -125,16 +129,28 @@ public class GroupsController : Controller
} }
[HttpPost("")] [HttpPost("")]
public async Task<GroupResponseModel> Post(string orgId, [FromBody] GroupRequestModel model) public async Task<GroupResponseModel> Post(Guid orgId, [FromBody] GroupRequestModel model)
{ {
var orgIdGuid = new Guid(orgId); if (!await _currentContext.ManageGroups(orgId))
if (!await _currentContext.ManageGroups(orgIdGuid))
{ {
throw new NotFoundException(); throw new NotFoundException();
} }
var organization = await _organizationRepository.GetByIdAsync(orgIdGuid); // Flexible Collections - check the user has permission to grant access to the collections for the new group
var group = model.ToGroup(orgIdGuid); if (await FlexibleCollectionsIsEnabledAsync(orgId) && _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1))
{
var collections = await _collectionRepository.GetManyByManyIdsAsync(model.Collections.Select(a => a.Id));
var authorized =
(await _authorizationService.AuthorizeAsync(User, collections, BulkCollectionOperations.ModifyGroupAccess))
.Succeeded;
if (!authorized)
{
throw new NotFoundException("You are not authorized to grant access to these collections.");
}
}
var organization = await _organizationRepository.GetByIdAsync(orgId);
var group = model.ToGroup(orgId);
await _createGroupCommand.CreateGroupAsync(group, organization, model.Collections?.Select(c => c.ToSelectionReadOnly()).ToList(), model.Users); await _createGroupCommand.CreateGroupAsync(group, organization, model.Collections?.Select(c => c.ToSelectionReadOnly()).ToList(), model.Users);
return new GroupResponseModel(group); return new GroupResponseModel(group);
@ -144,16 +160,40 @@ public class GroupsController : Controller
[HttpPost("{id}")] [HttpPost("{id}")]
public async Task<GroupResponseModel> Put(Guid orgId, Guid id, [FromBody] GroupRequestModel model) public async Task<GroupResponseModel> Put(Guid orgId, Guid id, [FromBody] GroupRequestModel model)
{ {
if (await FlexibleCollectionsIsEnabledAsync(orgId) && _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1))
{
// Use new Flexible Collections v1 logic
return await Put_vNext(orgId, id, model);
}
// Pre-Flexible Collections v1 logic follows
var group = await _groupRepository.GetByIdAsync(id); var group = await _groupRepository.GetByIdAsync(id);
if (group == null || !await _currentContext.ManageGroups(group.OrganizationId)) if (group == null || !await _currentContext.ManageGroups(group.OrganizationId))
{ {
throw new NotFoundException(); throw new NotFoundException();
} }
// Flexible Collections v1 - a user may not be able to add themselves to a group var organization = await _organizationRepository.GetByIdAsync(orgId);
await _updateGroupCommand.UpdateGroupAsync(model.ToGroup(group), organization,
model.Collections.Select(c => c.ToSelectionReadOnly()).ToList(), model.Users);
return new GroupResponseModel(group);
}
/// <summary>
/// Put logic for Flexible Collections v1
/// </summary>
private async Task<GroupResponseModel> Put_vNext(Guid orgId, Guid id, [FromBody] GroupRequestModel model)
{
var (group, currentAccess) = await _groupRepository.GetByIdWithCollectionsAsync(id);
if (group == null || !await _currentContext.ManageGroups(group.OrganizationId))
{
throw new NotFoundException();
}
// Check whether the user is permitted to add themselves to the group
var orgAbility = await _applicationCacheService.GetOrganizationAbilityAsync(orgId); var orgAbility = await _applicationCacheService.GetOrganizationAbilityAsync(orgId);
var flexibleCollectionsV1Enabled = _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1); if (!orgAbility.AllowAdminAccessToAllCollectionItems)
if (flexibleCollectionsV1Enabled && orgAbility.FlexibleCollections && !orgAbility.AllowAdminAccessToAllCollectionItems)
{ {
var userId = _userService.GetProperUserId(User).Value; var userId = _userService.GetProperUserId(User).Value;
var organizationUser = await _organizationUserRepository.GetByOrganizationAsync(orgId, userId); var organizationUser = await _organizationUserRepository.GetByOrganizationAsync(orgId, userId);
@ -164,9 +204,38 @@ public class GroupsController : Controller
} }
} }
// The client only sends collections that the saving user has permissions to edit.
// On the server side, we need to (1) confirm this and (2) concat these with the collections that the user
// can't edit before saving to the database.
var currentCollections = await _collectionRepository
.GetManyByManyIdsAsync(currentAccess.Select(cas => cas.Id));
var readonlyCollectionIds = new HashSet<Guid>();
foreach (var collection in currentCollections)
{
if (!(await _authorizationService.AuthorizeAsync(User, collection, BulkCollectionOperations.ModifyGroupAccess))
.Succeeded)
{
readonlyCollectionIds.Add(collection.Id);
}
}
if (model.Collections.Any(c => readonlyCollectionIds.Contains(c.Id)))
{
throw new BadRequestException("You must have Can Manage permissions to edit a collection's membership");
}
var editedCollectionAccess = model.Collections
.Select(c => c.ToSelectionReadOnly());
var readonlyCollectionAccess = currentAccess
.Where(ca => readonlyCollectionIds.Contains(ca.Id));
var collectionsToSave = editedCollectionAccess
.Concat(readonlyCollectionAccess)
.ToList();
var organization = await _organizationRepository.GetByIdAsync(orgId); var organization = await _organizationRepository.GetByIdAsync(orgId);
await _updateGroupCommand.UpdateGroupAsync(model.ToGroup(group), organization, model.Collections?.Select(c => c.ToSelectionReadOnly()).ToList(), model.Users); await _updateGroupCommand.UpdateGroupAsync(model.ToGroup(group), organization, collectionsToSave, model.Users);
return new GroupResponseModel(group); return new GroupResponseModel(group);
} }

3
src/Api/Vault/AuthorizationHandlers/Collections/CollectionAuthorizationHandler.cs
View File

@ -85,7 +85,8 @@ public class CollectionAuthorizationHandler : AuthorizationHandler<CollectionOpe
{ Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or { Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
{ Permissions.EditAnyCollection: true } or { Permissions.EditAnyCollection: true } or
{ Permissions.DeleteAnyCollection: true } or { Permissions.DeleteAnyCollection: true } or
{ Permissions.ManageUsers: true }) { Permissions.ManageUsers: true } or
{ Permissions.ManageGroups: true })
{ {
context.Succeed(requirement); context.Succeed(requirement);
return; return;

293
test/Api.Test/AdminConsole/Controllers/GroupsControllerTests.cs
View File

@ -1,6 +1,8 @@
using System.Security.Claims; using System.Security.Claims;
using Bit.Api.AdminConsole.Controllers; using Bit.Api.AdminConsole.Controllers;
using Bit.Api.AdminConsole.Models.Request; using Bit.Api.AdminConsole.Models.Request;
using Bit.Api.Models.Request;
using Bit.Api.Vault.AuthorizationHandlers.Collections;
using Bit.Core; using Bit.Core;
using Bit.Core.AdminConsole.Entities; using Bit.Core.AdminConsole.Entities;
using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces; using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
@ -12,8 +14,10 @@ using Bit.Core.Models.Data;
using Bit.Core.Models.Data.Organizations; using Bit.Core.Models.Data.Organizations;
using Bit.Core.Repositories; using Bit.Core.Repositories;
using Bit.Core.Services; using Bit.Core.Services;
using Bit.Core.Utilities;
using Bit.Test.Common.AutoFixture; using Bit.Test.Common.AutoFixture;
using Bit.Test.Common.AutoFixture.Attributes; using Bit.Test.Common.AutoFixture.Attributes;
using Microsoft.AspNetCore.Authorization;
using NSubstitute; using NSubstitute;
using Xunit; using Xunit;
@ -25,12 +29,12 @@ public class GroupsControllerTests
{ {
[Theory] [Theory]
[BitAutoData] [BitAutoData]
public async Task Post_Success(Organization organization, GroupRequestModel groupRequestModel, SutProvider<GroupsController> sutProvider) public async Task Post_PreFCv1_Success(Organization organization, GroupRequestModel groupRequestModel, SutProvider<GroupsController> sutProvider)
{ {
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization); sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
sutProvider.GetDependency<ICurrentContext>().ManageGroups(organization.Id).Returns(true); sutProvider.GetDependency<ICurrentContext>().ManageGroups(organization.Id).Returns(true);
var response = await sutProvider.Sut.Post(organization.Id.ToString(), groupRequestModel); var response = await sutProvider.Sut.Post(organization.Id, groupRequestModel);
await sutProvider.GetDependency<ICurrentContext>().Received(1).ManageGroups(organization.Id); await sutProvider.GetDependency<ICurrentContext>().Received(1).ManageGroups(organization.Id);
await sutProvider.GetDependency<ICreateGroupCommand>().Received(1).CreateGroupAsync( await sutProvider.GetDependency<ICreateGroupCommand>().Received(1).CreateGroupAsync(
@ -47,15 +51,100 @@ public class GroupsControllerTests
[Theory] [Theory]
[BitAutoData] [BitAutoData]
public async Task Put_AdminsCanAccessAllCollections_Success(Organization organization, Group group, GroupRequestModel groupRequestModel, SutProvider<GroupsController> sutProvider) public async Task Post_AuthorizedToGiveAccessToCollections_Success(Organization organization,
GroupRequestModel groupRequestModel, SutProvider<GroupsController> sutProvider)
{
// Enable FC and v1
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns(
new OrganizationAbility { Id = organization.Id, FlexibleCollections = true, AllowAdminAccessToAllCollectionItems = false });
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
sutProvider.GetDependency<IAuthorizationService>()
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(),
Arg.Any<IEnumerable<Collection>>(),
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyGroupAccess)))
.Returns(AuthorizationResult.Success());
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
sutProvider.GetDependency<ICurrentContext>().ManageGroups(organization.Id).Returns(true);
var response = await sutProvider.Sut.Post(organization.Id, groupRequestModel);
var requestModelCollectionIds = groupRequestModel.Collections.Select(c => c.Id).ToHashSet();
// Assert that it checked permissions
await sutProvider.GetDependency<ICurrentContext>().Received(1).ManageGroups(organization.Id);
await sutProvider.GetDependency<IAuthorizationService>()
.Received(1)
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(),
Arg.Is<IEnumerable<Collection>>(collections =>
collections.All(c => requestModelCollectionIds.Contains(c.Id))),
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs =>
reqs.Single() == BulkCollectionOperations.ModifyGroupAccess));
// Assert that it saved the data
await sutProvider.GetDependency<ICreateGroupCommand>().Received(1).CreateGroupAsync(
Arg.Is<Group>(g =>
g.OrganizationId == organization.Id && g.Name == groupRequestModel.Name &&
g.AccessAll == groupRequestModel.AccessAll),
organization,
Arg.Is<ICollection<CollectionAccessSelection>>(access =>
access.All(c => requestModelCollectionIds.Contains(c.Id))),
Arg.Any<IEnumerable<Guid>>());
Assert.Equal(groupRequestModel.Name, response.Name);
Assert.Equal(organization.Id, response.OrganizationId);
Assert.Equal(groupRequestModel.AccessAll, response.AccessAll);
}
[Theory]
[BitAutoData]
public async Task Post_NotAuthorizedToGiveAccessToCollections_Throws(Organization organization, GroupRequestModel groupRequestModel, SutProvider<GroupsController> sutProvider)
{
// Enable FC and v1
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns(
new OrganizationAbility { Id = organization.Id, FlexibleCollections = true, AllowAdminAccessToAllCollectionItems = false });
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
sutProvider.GetDependency<ICurrentContext>().ManageGroups(organization.Id).Returns(true);
var requestModelCollectionIds = groupRequestModel.Collections.Select(c => c.Id).ToHashSet();
sutProvider.GetDependency<IAuthorizationService>()
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(),
Arg.Is<IEnumerable<Collection>>(collections => collections.All(c => requestModelCollectionIds.Contains(c.Id))),
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyGroupAccess)))
.Returns(AuthorizationResult.Failed());
var exception = await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.Post(organization.Id, groupRequestModel));
Assert.Contains("You are not authorized to grant access to these collections.", exception.Message);
await sutProvider.GetDependency<ICreateGroupCommand>().DidNotReceiveWithAnyArgs()
.CreateGroupAsync(default, default, default, default);
}
[Theory]
[BitAutoData]
public async Task Put_AdminsCanAccessAllCollections_Success(Organization organization, Group group,
GroupRequestModel groupRequestModel, List<CollectionAccessSelection> existingCollectionAccess,
SutProvider<GroupsController> sutProvider)
{ {
group.OrganizationId = organization.Id; group.OrganizationId = organization.Id;
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization); // Enable FC and v1, set Collection Management Setting
sutProvider.GetDependency<IGroupRepository>().GetByIdAsync(group.Id).Returns(group);
sutProvider.GetDependency<ICurrentContext>().ManageGroups(organization.Id).Returns(true);
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns( sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns(
new OrganizationAbility { Id = organization.Id, AllowAdminAccessToAllCollectionItems = true }); new OrganizationAbility { Id = organization.Id, AllowAdminAccessToAllCollectionItems = true, FlexibleCollections = true });
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
sutProvider.GetDependency<IGroupRepository>().GetByIdWithCollectionsAsync(group.Id)
.Returns(new Tuple<Group, ICollection<CollectionAccessSelection>>(group, existingCollectionAccess));
sutProvider.GetDependency<ICollectionRepository>()
.GetManyByManyIdsAsync(existingCollectionAccess.Select(c => c.Id))
.Returns(existingCollectionAccess.Select(c => new Collection { Id = c.Id }).ToList());
sutProvider.GetDependency<ICurrentContext>().ManageGroups(organization.Id).Returns(true);
var requestModelCollectionIds = groupRequestModel.Collections.Select(c => c.Id).ToHashSet();
var response = await sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel); var response = await sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel);
@ -65,7 +154,9 @@ public class GroupsControllerTests
g.OrganizationId == organization.Id && g.Name == groupRequestModel.Name && g.OrganizationId == organization.Id && g.Name == groupRequestModel.Name &&
g.AccessAll == groupRequestModel.AccessAll), g.AccessAll == groupRequestModel.AccessAll),
Arg.Is<Organization>(o => o.Id == organization.Id), Arg.Is<Organization>(o => o.Id == organization.Id),
Arg.Any<ICollection<CollectionAccessSelection>>(), // Should overwrite any existing collections
Arg.Is<ICollection<CollectionAccessSelection>>(access =>
access.All(c => requestModelCollectionIds.Contains(c.Id))),
Arg.Any<IEnumerable<Guid>>()); Arg.Any<IEnumerable<Guid>>());
Assert.Equal(groupRequestModel.Name, response.Name); Assert.Equal(groupRequestModel.Name, response.Name);
Assert.Equal(organization.Id, response.OrganizationId); Assert.Equal(organization.Id, response.OrganizationId);
@ -74,20 +165,13 @@ public class GroupsControllerTests
[Theory] [Theory]
[BitAutoData] [BitAutoData]
public async Task Put_AdminsCannotAccessAllCollections_CannotAddSelfToGroup(Organization organization, Group group, public async Task Put_UpdateMembers_AdminsCannotAccessAllCollections_CannotAddSelfToGroup(Organization organization, Group group,
GroupRequestModel groupRequestModel, OrganizationUser savingOrganizationUser, List<Guid> currentGroupUsers, GroupRequestModel groupRequestModel, OrganizationUser savingOrganizationUser, List<Guid> currentGroupUsers,
SutProvider<GroupsController> sutProvider) SutProvider<GroupsController> sutProvider)
{ {
group.OrganizationId = organization.Id; group.OrganizationId = organization.Id;
// Saving user is trying to add themselves to the group // Enable FC and v1
var updatedUsers = groupRequestModel.Users.ToList();
updatedUsers.Add(savingOrganizationUser.Id);
groupRequestModel.Users = updatedUsers;
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
sutProvider.GetDependency<IGroupRepository>().GetByIdAsync(group.Id).Returns(group);
sutProvider.GetDependency<ICurrentContext>().ManageGroups(organization.Id).Returns(true);
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns( sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns(
new OrganizationAbility new OrganizationAbility
{ {
@ -96,6 +180,16 @@ public class GroupsControllerTests
FlexibleCollections = true FlexibleCollections = true
}); });
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true); sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
// Saving user is trying to add themselves to the group
var updatedUsers = groupRequestModel.Users.ToList();
updatedUsers.Add(savingOrganizationUser.Id);
groupRequestModel.Users = updatedUsers;
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
sutProvider.GetDependency<IGroupRepository>().GetByIdWithCollectionsAsync(group.Id)
.Returns(new Tuple<Group, ICollection<CollectionAccessSelection>>(group, new List<CollectionAccessSelection>()));
sutProvider.GetDependency<ICurrentContext>().ManageGroups(organization.Id).Returns(true);
sutProvider.GetDependency<IOrganizationUserRepository>() sutProvider.GetDependency<IOrganizationUserRepository>()
.GetByOrganizationAsync(organization.Id, Arg.Any<Guid>()) .GetByOrganizationAsync(organization.Id, Arg.Any<Guid>())
.Returns(savingOrganizationUser); .Returns(savingOrganizationUser);
@ -112,12 +206,22 @@ public class GroupsControllerTests
[Theory] [Theory]
[BitAutoData] [BitAutoData]
public async Task Put_AdminsCannotAccessAllCollections_Success(Organization organization, Group group, public async Task Put_UpdateMembers_AdminsCannotAccessAllCollections_AlreadyInGroup_Success(Organization organization, Group group,
GroupRequestModel groupRequestModel, OrganizationUser savingOrganizationUser, List<Guid> currentGroupUsers, GroupRequestModel groupRequestModel, OrganizationUser savingOrganizationUser, List<Guid> currentGroupUsers,
SutProvider<GroupsController> sutProvider) SutProvider<GroupsController> sutProvider)
{ {
group.OrganizationId = organization.Id; group.OrganizationId = organization.Id;
// Enable FC and v1
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns(
new OrganizationAbility
{
Id = organization.Id,
AllowAdminAccessToAllCollectionItems = false,
FlexibleCollections = true
});
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
// Saving user is trying to add themselves to the group // Saving user is trying to add themselves to the group
var updatedUsers = groupRequestModel.Users.ToList(); var updatedUsers = groupRequestModel.Users.ToList();
updatedUsers.Add(savingOrganizationUser.Id); updatedUsers.Add(savingOrganizationUser.Id);
@ -127,16 +231,9 @@ public class GroupsControllerTests
currentGroupUsers.Add(savingOrganizationUser.Id); currentGroupUsers.Add(savingOrganizationUser.Id);
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization); sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
sutProvider.GetDependency<IGroupRepository>().GetByIdAsync(group.Id).Returns(group); sutProvider.GetDependency<IGroupRepository>().GetByIdWithCollectionsAsync(group.Id)
.Returns(new Tuple<Group, ICollection<CollectionAccessSelection>>(group, new List<CollectionAccessSelection>()));
sutProvider.GetDependency<ICurrentContext>().ManageGroups(organization.Id).Returns(true); sutProvider.GetDependency<ICurrentContext>().ManageGroups(organization.Id).Returns(true);
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns(
new OrganizationAbility
{
Id = organization.Id,
AllowAdminAccessToAllCollectionItems = false,
FlexibleCollections = true
});
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
sutProvider.GetDependency<IOrganizationUserRepository>() sutProvider.GetDependency<IOrganizationUserRepository>()
.GetByOrganizationAsync(organization.Id, Arg.Any<Guid>()) .GetByOrganizationAsync(organization.Id, Arg.Any<Guid>())
.Returns(savingOrganizationUser); .Returns(savingOrganizationUser);
@ -145,6 +242,9 @@ public class GroupsControllerTests
sutProvider.GetDependency<IGroupRepository>().GetManyUserIdsByIdAsync(group.Id) sutProvider.GetDependency<IGroupRepository>().GetManyUserIdsByIdAsync(group.Id)
.Returns(currentGroupUsers); .Returns(currentGroupUsers);
// Make collection authorization pass, it's not being tested here
groupRequestModel.Collections = Array.Empty<SelectionReadOnlyRequestModel>();
var response = await sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel); var response = await sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel);
await sutProvider.GetDependency<ICurrentContext>().Received(1).ManageGroups(organization.Id); await sutProvider.GetDependency<ICurrentContext>().Received(1).ManageGroups(organization.Id);
@ -159,4 +259,143 @@ public class GroupsControllerTests
Assert.Equal(organization.Id, response.OrganizationId); Assert.Equal(organization.Id, response.OrganizationId);
Assert.Equal(groupRequestModel.AccessAll, response.AccessAll); Assert.Equal(groupRequestModel.AccessAll, response.AccessAll);
} }
[Theory]
[BitAutoData]
public async Task Put_UpdateCollections_OnlyUpdatesCollectionsTheSavingUserCanUpdate(GroupRequestModel groupRequestModel,
Group group, Organization organization,
SutProvider<GroupsController> sutProvider, Guid savingUserId)
{
organization.FlexibleCollections = true;
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
Put_Setup(sutProvider, organization, group, savingUserId);
var editedCollectionId = CoreHelpers.GenerateComb();
var readonlyCollectionId1 = CoreHelpers.GenerateComb();
var readonlyCollectionId2 = CoreHelpers.GenerateComb();
var currentCollectionAccess = new List<CollectionAccessSelection>
{
new()
{
Id = editedCollectionId,
HidePasswords = true,
Manage = false,
ReadOnly = true
},
new()
{
Id = readonlyCollectionId1,
HidePasswords = false,
Manage = true,
ReadOnly = false
},
new()
{
Id = readonlyCollectionId2,
HidePasswords = false,
Manage = false,
ReadOnly = false
},
};
// User is upgrading editedCollectionId to manage
groupRequestModel.Collections = new List<SelectionReadOnlyRequestModel>
{
new() { Id = editedCollectionId, HidePasswords = false, Manage = true, ReadOnly = false }
};
sutProvider.GetDependency<IGroupRepository>()
.GetByIdWithCollectionsAsync(group.Id)
.Returns(new Tuple<Group, ICollection<CollectionAccessSelection>>(group,
currentCollectionAccess));
var currentCollections = currentCollectionAccess
.Select(cas => new Collection { Id = cas.Id }).ToList();
sutProvider.GetDependency<ICollectionRepository>()
.GetManyByManyIdsAsync(Arg.Any<IEnumerable<Guid>>())
.Returns(currentCollections);
// Authorize the editedCollection
sutProvider.GetDependency<IAuthorizationService>()
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => c.Id == editedCollectionId),
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyGroupAccess)))
.Returns(AuthorizationResult.Success());
// Do not authorize the readonly collections
sutProvider.GetDependency<IAuthorizationService>()
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => c.Id == readonlyCollectionId1 || c.Id == readonlyCollectionId2),
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyGroupAccess)))
.Returns(AuthorizationResult.Failed());
var response = await sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel);
// Expect all collection access (modified and unmodified) to be saved
await sutProvider.GetDependency<ICurrentContext>().Received(1).ManageGroups(organization.Id);
await sutProvider.GetDependency<IUpdateGroupCommand>().Received(1).UpdateGroupAsync(
Arg.Is<Group>(g =>
g.OrganizationId == organization.Id && g.Name == groupRequestModel.Name &&
g.AccessAll == groupRequestModel.AccessAll),
Arg.Is<Organization>(o => o.Id == organization.Id),
Arg.Is<List<CollectionAccessSelection>>(cas =>
cas.Select(c => c.Id).SequenceEqual(currentCollectionAccess.Select(c => c.Id)) &&
cas.First(c => c.Id == editedCollectionId).Manage == true &&
cas.First(c => c.Id == editedCollectionId).ReadOnly == false &&
cas.First(c => c.Id == editedCollectionId).HidePasswords == false),
Arg.Any<IEnumerable<Guid>>());
Assert.Equal(groupRequestModel.Name, response.Name);
Assert.Equal(organization.Id, response.OrganizationId);
Assert.Equal(groupRequestModel.AccessAll, response.AccessAll);
}
[Theory]
[BitAutoData]
public async Task Put_UpdateCollections_ThrowsIfSavingUserCannotUpdateCollections(GroupRequestModel groupRequestModel,
Group group, Organization organization,
SutProvider<GroupsController> sutProvider, Guid savingUserId)
{
organization.FlexibleCollections = true;
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
Put_Setup(sutProvider, organization, group, savingUserId);
sutProvider.GetDependency<IGroupRepository>()
.GetByIdWithCollectionsAsync(group.Id)
.Returns(new Tuple<Group, ICollection<CollectionAccessSelection>>(group,
groupRequestModel.Collections.Select(cas => cas.ToSelectionReadOnly()).ToList()));
var collections = groupRequestModel.Collections.Select(cas => new Collection { Id = cas.Id }).ToList();
sutProvider.GetDependency<ICollectionRepository>()
.GetManyByManyIdsAsync(Arg.Is<IEnumerable<Guid>>(guids => guids.SequenceEqual(collections.Select(c => c.Id))))
.Returns(collections);
sutProvider.GetDependency<IAuthorizationService>()
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => collections.Contains(c)),
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyGroupAccess)))
.Returns(AuthorizationResult.Failed());
var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel));
Assert.Contains("You must have Can Manage permission", exception.Message);
}
private void Put_Setup(SutProvider<GroupsController> sutProvider, Organization organization,
Group group, Guid savingUserId)
{
var orgId = organization.Id = group.OrganizationId;
sutProvider.GetDependency<ICurrentContext>().ManageGroups(orgId).Returns(true);
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(orgId)
.Returns(new OrganizationAbility
{
Id = organization.Id,
FlexibleCollections = true,
AllowAdminAccessToAllCollectionItems = false
});
sutProvider.GetDependency<IGroupRepository>().GetManyUserIdsByIdAsync(group.Id).Returns(new List<Guid>());
sutProvider.GetDependency<IUserService>().GetProperUserId(Arg.Any<ClaimsPrincipal>()).Returns(savingUserId);
sutProvider.GetDependency<IOrganizationUserRepository>().GetByOrganizationAsync(orgId, savingUserId).Returns(new OrganizationUser
{
Id = savingUserId
});
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
}
} }