[AC-1139] Renamed existing CollectionAuthorizationHandler to BulkCollectionAuthorizationHandler for collections and created CollectionAuthorizationHandler for single item access. Fixed unit tests and created more

test/Api.Test/Vault/AuthorizationHandlers/CollectionAuthorizationHandlerTests.cs

@@ -2,13 +2,8 @@
 using Bit.Api.Vault.AuthorizationHandlers.Collections;
 using Bit.Core;
 using Bit.Core.Context;
-using Bit.Core.Entities;
 using Bit.Core.Enums;
-using Bit.Core.Exceptions;
-using Bit.Core.Models.Data;
-using Bit.Core.Repositories;
 using Bit.Core.Test.AutoFixture;
-using Bit.Core.Test.Vault.AutoFixture;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Microsoft.AspNetCore.Authorization;
@@ -21,117 +16,75 @@ namespace Bit.Api.Test.Vault.AuthorizationHandlers;
 [FeatureServiceCustomize(FeatureFlagKeys.FlexibleCollections)]
 public class CollectionAuthorizationHandlerTests
 {
-    [Theory, CollectionCustomization]
+    [Theory]
     [BitAutoData(OrganizationUserType.User, false, true)]
     [BitAutoData(OrganizationUserType.Admin, false, false)]
     [BitAutoData(OrganizationUserType.Owner, false, false)]
     [BitAutoData(OrganizationUserType.Custom, true, false)]
     [BitAutoData(OrganizationUserType.Owner, true, true)]
-    public async Task CanManageCollectionAccessAsync_Success(
-        OrganizationUserType userType, bool editAnyCollection, bool manageCollections,
-        SutProvider<CollectionAuthorizationHandler> sutProvider,
-        ICollection<Collection> collections,
-        ICollection<CollectionDetails> collectionDetails,
+    public async Task CanReadAllAccessAsync_Success(
+        OrganizationUserType userType, bool editAnyCollection, bool deleteAnyCollection,
+        Guid userId, SutProvider<CollectionAuthorizationHandler> sutProvider,
         CurrentContextOrganization organization)
     {
-        var actingUserId = Guid.NewGuid();
-        foreach (var collectionDetail in collectionDetails)
-        {
-            collectionDetail.Manage = manageCollections;
-        }
+        // if (org.Type is OrganizationUserType.Owner or OrganizationUserType.Admin ||
+        //     org.Permissions.ManageGroups ||
+        //     org.Permissions.ManageUsers ||
+        //     org.Permissions.EditAnyCollection ||
+        //     org.Permissions.DeleteAnyCollection ||
+        //     org.Permissions.AccessImportExport ||
+        //     await _currentContext.ProviderUserForOrgAsync(org.Id))
+        // {
+        //     context.Succeed(requirement);
+        // }
 
         organization.Type = userType;
         organization.Permissions.EditAnyCollection = editAnyCollection;
-
-        var context = new AuthorizationHandlerContext(
-            new[] { CollectionOperations.ModifyAccess },
-            new ClaimsPrincipal(),
-            collections);
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
-        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-        sutProvider.GetDependency<ICollectionRepository>().GetManyByUserIdAsync(actingUserId).Returns(collectionDetails);
-
-        await sutProvider.Sut.HandleAsync(context);
-
-        Assert.True(context.HasSucceeded);
-    }
-
-    [Theory, CollectionCustomization]
-    [BitAutoData(OrganizationUserType.User, false, false)]
-    [BitAutoData(OrganizationUserType.Admin, false, true)]
-    [BitAutoData(OrganizationUserType.Owner, false, true)]
-    [BitAutoData(OrganizationUserType.Custom, true, true)]
-    public async Task CanCreateAsync_Success(
-        OrganizationUserType userType, bool createNewCollection, bool limitCollectionCreateDelete,
-        SutProvider<CollectionAuthorizationHandler> sutProvider,
-        ICollection<Collection> collections,
-        CurrentContextOrganization organization)
-    {
-        var actingUserId = Guid.NewGuid();
-
-        organization.Type = userType;
-        organization.Permissions.CreateNewCollections = createNewCollection;
-        organization.LimitCollectionCreationDeletion = limitCollectionCreateDelete;
-
-        var context = new AuthorizationHandlerContext(
-            new[] { CollectionOperations.Create },
-            new ClaimsPrincipal(),
-            collections);
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
-        sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-
-        await sutProvider.Sut.HandleAsync(context);
-
-        Assert.True(context.HasSucceeded);
-    }
-
-    [Theory, CollectionCustomization]
-    [BitAutoData(OrganizationUserType.User, false, false, true)]
-    [BitAutoData(OrganizationUserType.Admin, false, true, false)]
-    [BitAutoData(OrganizationUserType.Owner, false, true, false)]
-    [BitAutoData(OrganizationUserType.Custom, true, true, false)]
-    public async Task CanDeleteAsync_Success(
-        OrganizationUserType userType, bool deleteAnyCollection, bool limitCollectionCreateDelete, bool manageCollections,
-        SutProvider<CollectionAuthorizationHandler> sutProvider,
-        ICollection<Collection> collections,
-        ICollection<CollectionDetails> collectionDetails,
-        CurrentContextOrganization organization)
-    {
-        var actingUserId = Guid.NewGuid();
-        foreach (var collectionDetail in collectionDetails)
-        {
-            collectionDetail.Manage = manageCollections;
-        }
-
-        organization.Type = userType;
         organization.Permissions.DeleteAnyCollection = deleteAnyCollection;
-        organization.LimitCollectionCreationDeletion = limitCollectionCreateDelete;
 
         var context = new AuthorizationHandlerContext(
-            new[] { CollectionOperations.Delete },
+            new[] { CollectionOperations.ReadAll(organization.Id) },
             new ClaimsPrincipal(),
-            collections);
+            null);
 
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
-        sutProvider.GetDependency<ICollectionRepository>().GetManyByUserIdAsync(actingUserId).Returns(collectionDetails);
 
         await sutProvider.Sut.HandleAsync(context);
 
         Assert.True(context.HasSucceeded);
     }
 
-    [Theory, BitAutoData, CollectionCustomization]
+    [Theory, BitAutoData]
+    public async Task CanReadAllAccessAsync_WithProviderUser_Success(
+        Guid userId,
+        SutProvider<CollectionAuthorizationHandler> sutProvider, CurrentContextOrganization organization)
+    {
+        var context = new AuthorizationHandlerContext(
+            new[] { CollectionOperations.ReadAll(organization.Id) },
+            new ClaimsPrincipal(),
+            null);
+
+        sutProvider.GetDependency<ICurrentContext>()
+            .UserId
+            .Returns(userId);
+        sutProvider.GetDependency<ICurrentContext>()
+            .ProviderUserForOrgAsync(organization.Id)
+            .Returns(true);
+
+        await sutProvider.Sut.HandleAsync(context);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    [Theory, BitAutoData]
     public async Task HandleRequirementAsync_MissingUserId_Failure(
-        SutProvider<CollectionAuthorizationHandler> sutProvider,
-        ICollection<Collection> collections)
+        SutProvider<CollectionAuthorizationHandler> sutProvider)
     {
         var context = new AuthorizationHandlerContext(
             new[] { CollectionOperations.Create },
             new ClaimsPrincipal(),
-            collections
+            null
         );
 
         // Simulate missing user id
@@ -139,86 +92,24 @@ public class CollectionAuthorizationHandlerTests
 
         await sutProvider.Sut.HandleAsync(context);
         Assert.True(context.HasFailed);
-        sutProvider.GetDependency<ICollectionRepository>().DidNotReceiveWithAnyArgs();
     }
 
-    [Theory, BitAutoData, CollectionCustomization]
-    public async Task HandleRequirementAsync_TargetCollectionsMultipleOrgs_Failure(
-        SutProvider<CollectionAuthorizationHandler> sutProvider,
-        IList<Collection> collections)
-    {
-        var actingUserId = Guid.NewGuid();
-
-        // Simulate a collection in a different organization
-        collections.First().OrganizationId = Guid.NewGuid();
-
-        var context = new AuthorizationHandlerContext(
-            new[] { CollectionOperations.Create },
-            new ClaimsPrincipal(),
-            collections
-        );
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
-
-        var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.HandleAsync(context));
-        Assert.Equal("Requested collections must belong to the same organization.", exception.Message);
-        sutProvider.GetDependency<ICurrentContext>().DidNotReceiveWithAnyArgs().GetOrganization(default);
-    }
-
-    [Theory, BitAutoData, CollectionCustomization]
+    [Theory, BitAutoData]
     public async Task HandleRequirementAsync_MissingOrg_Failure(
-        SutProvider<CollectionAuthorizationHandler> sutProvider,
-        ICollection<Collection> collections)
+        Guid userId,
+        Guid organizationId,
+        SutProvider<CollectionAuthorizationHandler> sutProvider)
     {
-        var actingUserId = Guid.NewGuid();
-
         var context = new AuthorizationHandlerContext(
-            new[] { CollectionOperations.Create },
+            new[] { CollectionOperations.ReadAll(organizationId) },
             new ClaimsPrincipal(),
-            collections
+            null
         );
 
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
+        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(userId);
         sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns((CurrentContextOrganization)null);
 
         await sutProvider.Sut.HandleAsync(context);
         Assert.True(context.HasFailed);
     }
-
-    [Theory, BitAutoData, CollectionCustomization]
-    public async Task CanManageCollectionAccessAsync_MissingManageCollectionPermission_Failure(
-        SutProvider<CollectionAuthorizationHandler> sutProvider,
-        ICollection<Collection> collections,
-        ICollection<CollectionDetails> collectionDetails,
-        CurrentContextOrganization organization)
-    {
-        var actingUserId = Guid.NewGuid();
-
-        foreach (var collectionDetail in collectionDetails)
-        {
-            collectionDetail.Manage = true;
-        }
-        // Simulate one collection missing the manage permission
-        collectionDetails.First().Manage = false;
-
-        // Ensure the user is not an owner/admin and does not have edit any collection permission
-        organization.Type = OrganizationUserType.User;
-        organization.Permissions.EditAnyCollection = false;
-
-        var context = new AuthorizationHandlerContext(
-            new[] { CollectionOperations.ModifyAccess },
-            new ClaimsPrincipal(),
-            collections
-        );
-
-        sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
-        sutProvider.GetDependency<ICurrentContext>().GetOrganization(Arg.Any<Guid>()).Returns(organization);
-        sutProvider.GetDependency<ICollectionRepository>().GetManyByUserIdAsync(actingUserId).Returns(collectionDetails);
-
-        await sutProvider.Sut.HandleAsync(context);
-        Assert.True(context.HasFailed);
-        sutProvider.GetDependency<ICurrentContext>().ReceivedWithAnyArgs().GetOrganization(default);
-        await sutProvider.GetDependency<ICollectionRepository>().ReceivedWithAnyArgs()
-            .GetManyByUserIdAsync(default);
-    }
 }