using System.Security.Claims; using AutoFixture; using Bit.Api.Models.Request; using Bit.Api.Tools.Controllers; using Bit.Api.Tools.Models.Request.Accounts; using Bit.Api.Tools.Models.Request.Organizations; using Bit.Api.Vault.AuthorizationHandlers.Collections; using Bit.Api.Vault.Models.Request; using Bit.Core.Context; using Bit.Core.Entities; using Bit.Core.Exceptions; using Bit.Core.Repositories; using Bit.Core.Tools.ImportFeatures.Interfaces; using Bit.Core.Vault.Entities; using Bit.Core.Vault.Models.Data; using Bit.Test.Common.AutoFixture; using Bit.Test.Common.AutoFixture.Attributes; using Microsoft.AspNetCore.Authorization; using NSubstitute; using NSubstitute.ClearExtensions; using Xunit; using GlobalSettings = Bit.Core.Settings.GlobalSettings; namespace Bit.Api.Test.Tools.Controllers; [ControllerCustomize(typeof(ImportCiphersController))] [SutProviderCustomize] public class ImportCiphersControllerTests { /************************* * PostImport - Individual *************************/ [Theory, BitAutoData] public async Task PostImportIndividual_ImportCiphersRequestModel_BadRequestException(SutProvider sutProvider, IFixture fixture) { // Arrange sutProvider.GetDependency() .SelfHosted = false; var ciphers = fixture.CreateMany(7001).ToArray(); var model = new ImportCiphersRequestModel { Ciphers = ciphers, FolderRelationships = null, Folders = null }; // Act var exception = await Assert.ThrowsAsync(() => sutProvider.Sut.PostImport(model)); // Assert Assert.Equal("You cannot import this much data at once.", exception.Message); } [Theory, BitAutoData] public async Task PostImportIndividual_ImportCiphersRequestModel_Success(User user, IFixture fixture, SutProvider sutProvider) { // Arrange sutProvider.GetDependency() .SelfHosted = false; sutProvider.GetDependency() .GetProperUserId(Arg.Any()) .Returns(user.Id); var request = fixture.Build() .With(x => x.Ciphers, fixture.Build() .With(c => c.OrganizationId, Guid.NewGuid().ToString()) .With(c => c.FolderId, Guid.NewGuid().ToString()) .CreateMany(1).ToArray()) .Create(); // Act await sutProvider.Sut.PostImport(request); // Assert await sutProvider.GetDependency() .Received() .ImportIntoIndividualVaultAsync( Arg.Any>(), Arg.Any>(), Arg.Any>>() ); } /**************************** * PostImport - Organization ****************************/ [Theory, BitAutoData] public async Task PostImportOrganization_ImportOrganizationCiphersRequestModel_BadRequestException(SutProvider sutProvider, IFixture fixture) { // Arrange var globalSettings = sutProvider.GetDependency(); globalSettings.SelfHosted = false; var userService = sutProvider.GetDependency(); userService.GetProperUserId(Arg.Any()) .Returns(null as Guid?); globalSettings.ImportCiphersLimitation = new GlobalSettings.ImportCiphersLimitationSettings() { // limits are set in appsettings.json, making values small for test to run faster. CiphersLimit = 200, CollectionsLimit = 400, CollectionRelationshipsLimit = 20 }; var ciphers = fixture.CreateMany(201).ToArray(); var model = new ImportOrganizationCiphersRequestModel { Collections = null, Ciphers = ciphers, CollectionRelationships = null }; // Act var exception = await Assert.ThrowsAsync(() => sutProvider.Sut.PostImport(Arg.Any(), model)); // Assert Assert.Equal("You cannot import this much data at once.", exception.Message); } [Theory, BitAutoData] public async Task PostImportOrganization_ImportOrganizationCiphersRequestModel_Succeeds( SutProvider sutProvider, IFixture fixture, User user) { // Arrange var orgId = "AD89E6F8-4E84-4CFE-A978-256CC0DBF974"; var orgIdGuid = Guid.Parse(orgId); var existingCollections = fixture.CreateMany(2).ToArray(); sutProvider.GetDependency().SelfHosted = false; sutProvider.GetDependency() .GetProperUserId(Arg.Any()) .Returns(user.Id); var request = fixture.Build() .With(x => x.Ciphers, fixture.Build() .With(c => c.OrganizationId, Guid.NewGuid().ToString()) .With(c => c.FolderId, Guid.NewGuid().ToString()) .CreateMany(1).ToArray()) .With(y => y.Collections, fixture.Build() .With(c => c.Id, orgIdGuid) .CreateMany(1).ToArray()) .Create(); // AccessImportExport permission setup sutProvider.GetDependency() .AccessImportExport(Arg.Any()) .Returns(false); // BulkCollectionOperations.ImportCiphers permission setup sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), Arg.Any>(), Arg.Is>(reqs => reqs.Contains(BulkCollectionOperations.ImportCiphers))) .Returns(AuthorizationResult.Success()); // BulkCollectionOperations.Create permission setup sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), Arg.Any>(), Arg.Is>(reqs => reqs.Contains(BulkCollectionOperations.Create))) .Returns(AuthorizationResult.Success()); sutProvider.GetDependency() .GetManyByOrganizationIdAsync(orgIdGuid) .Returns(existingCollections.Select(c => new Collection { Id = orgIdGuid }).ToList()); // Act await sutProvider.Sut.PostImport(orgId, request); // Assert await sutProvider.GetDependency() .Received(1) .ImportIntoOrganizationalVaultAsync( Arg.Any>(), Arg.Any>(), Arg.Any>>(), Arg.Any()); } [Theory, BitAutoData] public async Task PostImportOrganization_WithAccessImportExport_Succeeds( SutProvider sutProvider, IFixture fixture, User user) { // Arrange var orgId = "AD89E6F8-4E84-4CFE-A978-256CC0DBF974"; var orgIdGuid = Guid.Parse(orgId); var existingCollections = fixture.CreateMany(2).ToArray(); sutProvider.GetDependency().SelfHosted = false; sutProvider.GetDependency() .GetProperUserId(Arg.Any()) .Returns(user.Id); var request = fixture.Build() .With(x => x.Ciphers, fixture.Build() .With(c => c.OrganizationId, Guid.NewGuid().ToString()) .With(c => c.FolderId, Guid.NewGuid().ToString()) .CreateMany(1).ToArray()) .With(y => y.Collections, fixture.Build() .With(c => c.Id, orgIdGuid) .CreateMany(1).ToArray()) .Create(); // AccessImportExport permission setup sutProvider.GetDependency() .AccessImportExport(Arg.Any()) .Returns(false); // BulkCollectionOperations.ImportCiphers permission setup sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), Arg.Any>(), Arg.Is>(reqs => reqs.Contains(BulkCollectionOperations.ImportCiphers))) .Returns(AuthorizationResult.Success()); // BulkCollectionOperations.Create permission setup sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), Arg.Any>(), Arg.Is>(reqs => reqs.Contains(BulkCollectionOperations.Create))) .Returns(AuthorizationResult.Success()); sutProvider.GetDependency() .GetManyByOrganizationIdAsync(orgIdGuid) .Returns(existingCollections.Select(c => new Collection { Id = orgIdGuid }).ToList()); // Act await sutProvider.Sut.PostImport(orgId, request); // Assert await sutProvider.GetDependency() .Received(1) .ImportIntoOrganizationalVaultAsync( Arg.Any>(), Arg.Any>(), Arg.Any>>(), Arg.Any()); } [Theory, BitAutoData] public async Task PostImportOrganization_WithExistingCollectionsAndWithoutImportCiphersPermissions_ThrowsException( SutProvider sutProvider, IFixture fixture, User user) { // Arrange var orgId = "AD89E6F8-4E84-4CFE-A978-256CC0DBF974"; var orgIdGuid = Guid.Parse(orgId); var existingCollections = fixture.CreateMany(2).ToArray(); sutProvider.GetDependency().SelfHosted = false; SetupUserService(sutProvider, user); var request = fixture.Build() .With(x => x.Ciphers, fixture.Build() .With(c => c.OrganizationId, Guid.NewGuid().ToString()) .With(c => c.FolderId, Guid.NewGuid().ToString()) .CreateMany(1).ToArray()) .With(y => y.Collections, fixture.Build() .With(c => c.Id, orgIdGuid) .CreateMany(1).ToArray()) .Create(); // AccessImportExport permission setup sutProvider.GetDependency() .AccessImportExport(Arg.Any()) .Returns(false); // BulkCollectionOperations.ImportCiphers permission setup sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), Arg.Any>(), Arg.Is>(reqs => reqs.Contains(BulkCollectionOperations.ImportCiphers))) .Returns(AuthorizationResult.Failed()); // BulkCollectionOperations.Create permission setup sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), Arg.Any>(), Arg.Is>(reqs => reqs.Contains(BulkCollectionOperations.Create))) .Returns(AuthorizationResult.Failed()); sutProvider.GetDependency() .GetManyByOrganizationIdAsync(orgIdGuid) .Returns(existingCollections.Select(c => new Collection { Id = orgIdGuid }).ToList()); // Act var exception = await Assert.ThrowsAsync(() => sutProvider.Sut.PostImport(orgId, request)); // Assert Assert.IsType(exception); } [Theory, BitAutoData] public async Task PostImportOrganization_WithoutCreatePermissions_ThrowsException( SutProvider sutProvider, IFixture fixture, User user) { // Arrange var orgId = "AD89E6F8-4E84-4CFE-A978-256CC0DBF974"; var orgIdGuid = Guid.Parse(orgId); var existingCollections = fixture.CreateMany(2).ToArray(); sutProvider.GetDependency().SelfHosted = false; sutProvider.GetDependency() .GetProperUserId(Arg.Any()) .Returns(user.Id); var request = fixture.Build() .With(x => x.Ciphers, fixture.Build() .With(c => c.OrganizationId, Guid.NewGuid().ToString()) .With(c => c.FolderId, Guid.NewGuid().ToString()) .CreateMany(1).ToArray()) .With(y => y.Collections, fixture.Build() .With(c => c.Id, orgIdGuid) .CreateMany(1).ToArray()) .Create(); // AccessImportExport permission setup sutProvider.GetDependency() .AccessImportExport(Arg.Any()) .Returns(false); // BulkCollectionOperations.ImportCiphers permission setup sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), Arg.Any>(), Arg.Is>(reqs => reqs.Contains(BulkCollectionOperations.ImportCiphers))) .Returns(AuthorizationResult.Failed()); // BulkCollectionOperations.Create permission setup sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), Arg.Any>(), Arg.Is>(reqs => reqs.Contains(BulkCollectionOperations.Create))) .Returns(AuthorizationResult.Failed()); sutProvider.GetDependency() .GetManyByOrganizationIdAsync(orgIdGuid) .Returns(existingCollections.Select(c => new Collection { Id = orgIdGuid }).ToList()); // Act var exception = await Assert.ThrowsAsync(() => sutProvider.Sut.PostImport(orgId, request)); // Assert Assert.IsType(exception); } [Theory, BitAutoData] public async Task PostImportOrganization_CanCreateChildCollectionsWithCreateAndImportPermissionsAsync( SutProvider sutProvider, IFixture fixture, User user) { // Arrange var orgId = Guid.NewGuid(); sutProvider.GetDependency().SelfHosted = false; SetupUserService(sutProvider, user); // Create new collections var newCollections = fixture.Build() .CreateMany(2).ToArray(); // define existing collections var existingCollections = fixture.CreateMany(2).ToArray(); // import model includes new and existing collection var request = new ImportOrganizationCiphersRequestModel { Collections = newCollections.Concat(existingCollections).ToArray(), Ciphers = fixture.Build() .With(_ => _.OrganizationId, orgId.ToString()) .With(_ => _.FolderId, Guid.NewGuid().ToString()) .CreateMany(2).ToArray(), CollectionRelationships = new List>().ToArray(), }; // AccessImportExport permission - false sutProvider.GetDependency() .AccessImportExport(Arg.Any()) .Returns(false); // BulkCollectionOperations.ImportCiphers permission - true sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), Arg.Any>(), Arg.Is>(reqs => reqs.Contains(BulkCollectionOperations.ImportCiphers))) .Returns(AuthorizationResult.Success()); // BulkCollectionOperations.Create permission - true sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), Arg.Any>(), Arg.Is>(reqs => reqs.Contains(BulkCollectionOperations.Create))) .Returns(AuthorizationResult.Success()); sutProvider.GetDependency() .GetManyByOrganizationIdAsync(orgId) .Returns(existingCollections.Select(c => new Collection { OrganizationId = orgId, Id = c.Id.GetValueOrDefault() }) .ToList()); // Act // User imports into collections and creates new collections // User has ImportCiphers and Create ciphers permission await sutProvider.Sut.PostImport(orgId.ToString(), request); // Assert await sutProvider.GetDependency() .Received(1) .ImportIntoOrganizationalVaultAsync( Arg.Any>(), Arg.Any>(), Arg.Any>>(), Arg.Any()); } [Theory, BitAutoData] public async Task PostImportOrganization_CannotCreateChildCollectionsWithoutCreatePermissionsAsync( SutProvider sutProvider, IFixture fixture, User user) { // Arrange var orgId = Guid.NewGuid(); sutProvider.GetDependency().SelfHosted = false; SetupUserService(sutProvider, user); // Create new collections var newCollections = fixture.Build() .CreateMany(2).ToArray(); // define existing collections var existingCollections = fixture.CreateMany(2).ToArray(); // import model includes new and existing collection var request = new ImportOrganizationCiphersRequestModel { Collections = newCollections.Concat(existingCollections).ToArray(), Ciphers = fixture.Build() .With(_ => _.OrganizationId, orgId.ToString()) .With(_ => _.FolderId, Guid.NewGuid().ToString()) .CreateMany(2).ToArray(), CollectionRelationships = new List>().ToArray(), }; // AccessImportExport permission - false sutProvider.GetDependency() .AccessImportExport(Arg.Any()) .Returns(false); // BulkCollectionOperations.ImportCiphers permission - true sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), Arg.Any>(), Arg.Is>(reqs => reqs.Contains(BulkCollectionOperations.ImportCiphers))) .Returns(AuthorizationResult.Success()); // BulkCollectionOperations.Create permission - FALSE sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), Arg.Any>(), Arg.Is>(reqs => reqs.Contains(BulkCollectionOperations.Create))) .Returns(AuthorizationResult.Failed()); sutProvider.GetDependency() .GetManyByOrganizationIdAsync(orgId) .Returns(existingCollections.Select(c => new Collection { OrganizationId = orgId, Id = c.Id.GetValueOrDefault() }) .ToList()); // Act // User imports into an existing collection and creates new collections // User has ImportCiphers permission only and doesn't have Create permission var exception = await Assert.ThrowsAsync(async () => { await sutProvider.Sut.PostImport(orgId.ToString(), request); }); // Assert Assert.IsType(exception); await sutProvider.GetDependency() .DidNotReceive() .ImportIntoOrganizationalVaultAsync( Arg.Any>(), Arg.Any>(), Arg.Any>>(), Arg.Any()); } [Theory, BitAutoData] public async Task PostImportOrganization_ImportIntoNewCollectionWithCreatePermissionsOnlyAsync( SutProvider sutProvider, IFixture fixture, User user) { // Arrange var orgId = Guid.NewGuid(); sutProvider.GetDependency().SelfHosted = false; SetupUserService(sutProvider, user); // Create new collections var newCollections = fixture.CreateMany(1).ToArray(); // Define existing collections var existingCollections = new List(); // Import model includes new and existing collection var request = new ImportOrganizationCiphersRequestModel { Collections = newCollections.Concat(existingCollections).ToArray(), Ciphers = fixture.Build() .With(_ => _.OrganizationId, orgId.ToString()) .With(_ => _.FolderId, Guid.NewGuid().ToString()) .CreateMany(2).ToArray(), CollectionRelationships = new List>().ToArray(), }; // AccessImportExport permission - false sutProvider.GetDependency() .AccessImportExport(Arg.Any()) .Returns(false); // BulkCollectionOperations.ImportCiphers permission - FALSE sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), Arg.Any>(), Arg.Is>(reqs => reqs.Contains(BulkCollectionOperations.ImportCiphers))) .Returns(AuthorizationResult.Failed()); // BulkCollectionOperations.Create permission - TRUE sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), Arg.Any>(), Arg.Is>(reqs => reqs.Contains(BulkCollectionOperations.Create))) .Returns(AuthorizationResult.Success()); sutProvider.GetDependency() .GetManyByOrganizationIdAsync(orgId) .Returns(new List()); // Act // User imports/creates a new collection - existing collections not affected // User has create permissions and doesn't need import permissions await sutProvider.Sut.PostImport(orgId.ToString(), request); // Assert await sutProvider.GetDependency() .Received(1) .ImportIntoOrganizationalVaultAsync( Arg.Any>(), Arg.Any>(), Arg.Any>>(), Arg.Any()); } [Theory, BitAutoData] public async Task PostImportOrganization_ImportIntoExistingCollectionWithImportPermissionsOnlySuccessAsync( SutProvider sutProvider, IFixture fixture, User user) { // Arrange var orgId = Guid.NewGuid(); sutProvider.GetDependency().SelfHosted = false; SetupUserService(sutProvider, user); // No new collections var newCollections = new List(); // Define existing collections var existingCollections = fixture.CreateMany(1).ToArray(); // Import model includes new and existing collection var request = new ImportOrganizationCiphersRequestModel { Collections = newCollections.Concat(existingCollections).ToArray(), Ciphers = fixture.Build() .With(_ => _.OrganizationId, orgId.ToString()) .With(_ => _.FolderId, Guid.NewGuid().ToString()) .CreateMany(2).ToArray(), CollectionRelationships = new List>().ToArray(), }; // AccessImportExport permission - false sutProvider.GetDependency() .AccessImportExport(Arg.Any()) .Returns(false); // BulkCollectionOperations.ImportCiphers permission - true sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), Arg.Any>(), Arg.Is>(reqs => reqs.Contains(BulkCollectionOperations.ImportCiphers))) .Returns(AuthorizationResult.Success()); // BulkCollectionOperations.Create permission - FALSE sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), Arg.Any>(), Arg.Is>(reqs => reqs.Contains(BulkCollectionOperations.Create))) .Returns(AuthorizationResult.Failed()); sutProvider.GetDependency() .GetManyByOrganizationIdAsync(orgId) .Returns(existingCollections.Select(c => new Collection { OrganizationId = orgId, Id = c.Id.GetValueOrDefault() }) .ToList()); // Act // User import into existing collection // User has ImportCiphers permission only and doesn't need create permission await sutProvider.Sut.PostImport(orgId.ToString(), request); // Assert await sutProvider.GetDependency() .Received(1) .ImportIntoOrganizationalVaultAsync( Arg.Any>(), Arg.Any>(), Arg.Any>>(), Arg.Any()); } [Theory, BitAutoData] public async Task PostImportOrganization_ImportWithNoCollectionsWithCreatePermissionsOnlySuccessAsync( SutProvider sutProvider, IFixture fixture, User user) { // Arrange var orgId = Guid.NewGuid(); sutProvider.GetDependency().SelfHosted = false; SetupUserService(sutProvider, user); // Import model includes new and existing collection var request = new ImportOrganizationCiphersRequestModel { Collections = new List().ToArray(), // No collections Ciphers = fixture.Build() .With(_ => _.OrganizationId, orgId.ToString()) .With(_ => _.FolderId, Guid.NewGuid().ToString()) .CreateMany(2).ToArray(), CollectionRelationships = new List>().ToArray(), }; // AccessImportExport permission - false sutProvider.GetDependency() .AccessImportExport(Arg.Any()) .Returns(false); // BulkCollectionOperations.ImportCiphers permission - false sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), Arg.Any>(), Arg.Is>(reqs => reqs.Contains(BulkCollectionOperations.ImportCiphers))) .Returns(AuthorizationResult.Failed()); // BulkCollectionOperations.Create permission - TRUE sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), Arg.Any>(), Arg.Is>(reqs => reqs.Contains(BulkCollectionOperations.Create))) .Returns(AuthorizationResult.Success()); sutProvider.GetDependency() .GetManyByOrganizationIdAsync(orgId) .Returns(new List()); // Act // import ciphers only and no collections // User has Create permissions // expected to be successful await sutProvider.Sut.PostImport(orgId.ToString(), request); // Assert await sutProvider.GetDependency() .Received(1) .ImportIntoOrganizationalVaultAsync( Arg.Any>(), Arg.Any>(), Arg.Any>>(), Arg.Any()); } private static void SetupUserService(SutProvider sutProvider, User user) { // This is a workaround for the NSubstitute issue with ambiguous arguments // when using Arg.Any() in the GetProperUserId method // It clears the previous calls to the userService and sets up a new call // with the same argument var userService = sutProvider.GetDependency(); try { // in order to fix the Ambiguous Arguments error in NSubstitute // we need to clear the previous calls userService.ClearSubstitute(); userService.ClearReceivedCalls(); userService.GetProperUserId(Arg.Any()); } catch { } userService.GetProperUserId(Arg.Any()).Returns(user.Id); } }