using System.Net;
using Bit.Api.IntegrationTest.Factories;
using Bit.Api.IntegrationTest.SecretsManager.Enums;
using Bit.Api.IntegrationTest.SecretsManager.Helpers;
using Bit.Api.SecretsManager.Models.Response;
using Bit.Core.AdminConsole.Entities;
using Bit.Core.AdminConsole.Repositories;
using Bit.Core.Entities;
using Bit.Core.Enums;
using Bit.Core.Repositories;
using Bit.Core.SecretsManager.Entities;
using Bit.Core.SecretsManager.Repositories;
using Xunit;
namespace Bit.Api.IntegrationTest.SecretsManager.Controllers;
public class CountsControllerTests : IClassFixture<ApiApplicationFactory>, IAsyncLifetime
{
private readonly string _mockEncryptedString =
"2.3Uk+WNBIoU5xzmVFNcoWzz==|1MsPIYuRfdOHfu/0uY6H2Q==|/98sp4wb6pHP1VTZ9JcNCYgQjEUMFPlqJgCwRk1YXKg=";
private readonly HttpClient _client;
private readonly ApiApplicationFactory _factory;
private readonly IProjectRepository _projectRepository;
private readonly ISecretRepository _secretRepository;
private readonly IServiceAccountRepository _serviceAccountRepository;
private readonly IApiKeyRepository _apiKeyRepository;
private readonly IAccessPolicyRepository _accessPolicyRepository;
private readonly IGroupRepository _groupRepository;
private readonly IOrganizationUserRepository _organizationUserRepository;
private readonly LoginHelper _loginHelper;
private string _email = null!;
private SecretsManagerOrganizationHelper _organizationHelper = null!;
public CountsControllerTests(ApiApplicationFactory factory)
{
_factory = factory;
_client = _factory.CreateClient();
_projectRepository = _factory.GetService<IProjectRepository>();
_secretRepository = _factory.GetService<ISecretRepository>();
_serviceAccountRepository = _factory.GetService<IServiceAccountRepository>();
_apiKeyRepository = _factory.GetService<IApiKeyRepository>();
_accessPolicyRepository = _factory.GetService<IAccessPolicyRepository>();
_groupRepository = _factory.GetService<IGroupRepository>();
_organizationUserRepository = _factory.GetService<IOrganizationUserRepository>();
_loginHelper = new LoginHelper(_factory, _client);
}
public async Task InitializeAsync()
{
_email = $"integration-test{Guid.NewGuid()}@bitwarden.com";
await _factory.LoginWithNewAccount(_email);
_organizationHelper = new SecretsManagerOrganizationHelper(_factory, _email);
}
public Task DisposeAsync()
{
_client.Dispose();
return Task.CompletedTask;
}
[Theory]
[InlineData(false, false, false)]
[InlineData(false, false, true)]
[InlineData(false, true, false)]
[InlineData(false, true, true)]
[InlineData(true, false, false)]
[InlineData(true, false, true)]
[InlineData(true, true, false)]
public async Task GetByOrganizationAsync_SmAccessDenied_NotFound(bool useSecrets, bool accessSecrets,
bool organizationEnabled)
{
var (org, _) = await _organizationHelper.Initialize(useSecrets, accessSecrets, organizationEnabled);
await _loginHelper.LoginAsync(_email);
var response = await _client.GetAsync($"/organizations/{org.Id}/sm-counts");
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
}
[Fact]
public async Task GetByOrganizationAsync_RunAsServiceAccount_NotFound()
{
var (_, org, _) = await SetupProjectsWithAccessAsync(PermissionType.RunAsServiceAccountWithPermission);
var response = await _client.GetAsync($"/organizations/{org.Id}/sm-counts");
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
}
[Fact]
public async Task GetByOrganizationAsync_UserWithoutPermission_ZeroCounts()
{
var (_, org, _) = await SetupProjectsWithAccessAsync(PermissionType.RunAsUserWithPermission, 0);
var projects = await CreateProjectsAsync(org.Id);
await CreateSecretsAsync(org.Id, projects[0]);
await CreateServiceAccountsAsync(org.Id);
var response = await _client.GetAsync($"/organizations/{org.Id}/sm-counts");
response.EnsureSuccessStatusCode();
var result = await response.Content.ReadFromJsonAsync<OrganizationCountsResponseModel>();
Assert.NotNull(result);
Assert.Equal(0, result.Projects);
Assert.Equal(0, result.Secrets);
Assert.Equal(0, result.ServiceAccounts);
}
[Theory]
[InlineData(PermissionType.RunAsAdmin)]
[InlineData(PermissionType.RunAsUserWithPermission)]
public async Task GetByOrganizationAsync_Success(PermissionType permissionType)
{
var (projects, org, user) = await SetupProjectsWithAccessAsync(permissionType);
var projectsWithoutAccess = await CreateProjectsAsync(org.Id);
var secrets = await CreateSecretsAsync(org.Id, projects[0]);
var secretsWithoutAccess = await CreateSecretsAsync(org.Id, projectsWithoutAccess[0]);
var secretsWithoutProject = await CreateSecretsAsync(org.Id, null);
var serviceAccounts = await CreateServiceAccountsAsync(org.Id);
await CreateUserServiceAccountAccessPolicyAsync(user.Id, serviceAccounts[0].Id);
var response = await _client.GetAsync($"/organizations/{org.Id}/sm-counts");
response.EnsureSuccessStatusCode();
var result = await response.Content.ReadFromJsonAsync<OrganizationCountsResponseModel>();
Assert.NotNull(result);
if (permissionType == PermissionType.RunAsAdmin)
{
Assert.Equal(projects.Count + projectsWithoutAccess.Count, result.Projects);
Assert.Equal(secrets.Count + secretsWithoutAccess.Count + secretsWithoutProject.Count,
result.Secrets);
Assert.Equal(serviceAccounts.Count, result.ServiceAccounts);
}
else
{
Assert.Equal(projects.Count, result.Projects);
Assert.Equal(secrets.Count, result.Secrets);
Assert.Equal(1, result.ServiceAccounts);
}
}
[Theory]
[InlineData(false, false, false)]
[InlineData(false, false, true)]
[InlineData(false, true, false)]
[InlineData(false, true, true)]
[InlineData(true, false, false)]
[InlineData(true, false, true)]
[InlineData(true, true, false)]
public async Task GetByProjectAsync_SmAccessDenied_NotFound(bool useSecrets, bool accessSecrets,
bool organizationEnabled)
{
var (org, _) = await _organizationHelper.Initialize(useSecrets, accessSecrets, organizationEnabled);
await _loginHelper.LoginAsync(_email);
var projects = await CreateProjectsAsync(org.Id);
var response = await _client.GetAsync($"/projects/{projects[0].Id}/sm-counts");
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
}
[Fact]
public async Task GetByProjectAsync_RunAsServiceAccount_NotFound()
{
var (projects, _, _) = await SetupProjectsWithAccessAsync(PermissionType.RunAsServiceAccountWithPermission);
var response = await _client.GetAsync($"/projects/{projects[0].Id}/sm-counts");
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
}
[Theory]
[InlineData(PermissionType.RunAsAdmin)]
[InlineData(PermissionType.RunAsUserWithPermission)]
public async Task GetByProjectAsync_NonExistingProject_NotFound(PermissionType permissionType)
{
await SetupProjectsWithAccessAsync(permissionType);
var response = await _client.GetAsync($"/projects/{Guid.NewGuid().ToString()}/sm-counts");
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
}
[Fact]
public async Task GetByProjectAsync_UserWithoutPermission_ZeroCounts()
{
var (_, org, user) = await SetupProjectsWithAccessAsync(PermissionType.RunAsUserWithPermission, 0);
var projects = await CreateProjectsAsync(org.Id);
await CreateSecretsAsync(org.Id, projects[0]);
var groups = await CreateGroupsAsync(org.Id, user);
await CreateGroupProjectAccessPolicyAsync(groups[0].Id, projects[0].Id);
var serviceAccounts = await CreateServiceAccountsAsync(org.Id);
await CreateServiceAccountProjectAccessPolicyAsync(projects[0].Id, serviceAccounts[0].Id);
var response = await _client.GetAsync($"/projects/{projects[0].Id}/sm-counts");
response.EnsureSuccessStatusCode();
var result = await response.Content.ReadFromJsonAsync<ProjectCountsResponseModel>();
Assert.NotNull(result);
Assert.Equal(0, result.Secrets);
Assert.Equal(0, result.People);
Assert.Equal(0, result.ServiceAccounts);
}
[Theory]
[InlineData(PermissionType.RunAsAdmin, true)]
[InlineData(PermissionType.RunAsUserWithPermission, false)]
[InlineData(PermissionType.RunAsUserWithPermission, true)]
public async Task GetByProjectAsync_Success(PermissionType permissionType, bool userProjectWriteAccess)
{
var (projects, org, user) = await SetupProjectsWithAccessAsync(permissionType, 3, userProjectWriteAccess);
var secrets = await CreateSecretsAsync(org.Id, projects[0]);
await CreateSecretsAsync(org.Id, projects[1]);
var groups = await CreateGroupsAsync(org.Id, user);
await CreateGroupProjectAccessPolicyAsync(groups[0].Id, projects[0].Id);
await CreateGroupProjectAccessPolicyAsync(groups[0].Id, projects[1].Id);
var (_, user2) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
await CreateUserProjectAccessPolicyAsync(user2.Id, projects[0].Id);
var serviceAccounts = await CreateServiceAccountsAsync(org.Id);
await CreateUserServiceAccountAccessPolicyAsync(user.Id, serviceAccounts[0].Id);
await CreateServiceAccountProjectAccessPolicyAsync(projects[0].Id, serviceAccounts[0].Id);
var response = await _client.GetAsync($"/projects/{projects[0].Id}/sm-counts");
response.EnsureSuccessStatusCode();
var result = await response.Content.ReadFromJsonAsync<ProjectCountsResponseModel>();
Assert.NotNull(result);
Assert.Equal(secrets.Count, result.Secrets);
if (userProjectWriteAccess)
{
Assert.Equal(permissionType == PermissionType.RunAsAdmin ? 2 : 3, result.People);
Assert.Equal(1, result.ServiceAccounts);
}
else
{
Assert.Equal(0, result.People);
Assert.Equal(0, result.ServiceAccounts);
}
}
[Theory]
[InlineData(false, false, false)]
[InlineData(false, false, true)]
[InlineData(false, true, false)]
[InlineData(false, true, true)]
[InlineData(true, false, false)]
[InlineData(true, false, true)]
[InlineData(true, true, false)]
public async Task GetByServiceAccountAsync_SmAccessDenied_NotFound(bool useSecrets, bool accessSecrets,
bool organizationEnabled)
{
var (org, _) = await _organizationHelper.Initialize(useSecrets, accessSecrets, organizationEnabled);
await _loginHelper.LoginAsync(_email);
var serviceAccounts = await CreateServiceAccountsAsync(org.Id);
var response = await _client.GetAsync($"/service-accounts/{serviceAccounts[0].Id}/sm-counts");
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
}
[Fact]
public async Task GetByServiceAccountAsync_RunAsServiceAccount_NotFound()
{
var (_, org, _) = await SetupProjectsWithAccessAsync(PermissionType.RunAsServiceAccountWithPermission);
var serviceAccounts = await CreateServiceAccountsAsync(org.Id);
var response = await _client.GetAsync($"/service-accounts/{serviceAccounts[0].Id}/sm-counts");
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
}
[Theory]
[InlineData(PermissionType.RunAsAdmin)]
[InlineData(PermissionType.RunAsUserWithPermission)]
public async Task GetByServiceAccountAsync_NonExistingServiceAccount_NotFound(PermissionType permissionType)
{
await SetupProjectsWithAccessAsync(permissionType);
var response = await _client.GetAsync($"/service-accounts/{Guid.NewGuid().ToString()}/sm-counts");
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
}
[Fact]
public async Task GetByServiceAccountAsync_UserWithoutPermission_ZeroCounts()
{
var (_, org, user) = await SetupProjectsWithAccessAsync(PermissionType.RunAsUserWithPermission, 0);
var projects = await CreateProjectsAsync(org.Id);
var serviceAccounts = await CreateServiceAccountsAsync(org.Id);
await CreateServiceAccountProjectAccessPolicyAsync(projects[0].Id, serviceAccounts[0].Id);
var groups = await CreateGroupsAsync(org.Id, user);
await CreateGroupServiceAccountAccessPolicyAsync(groups[0].Id, serviceAccounts[0].Id);
await CreateApiKeysAsync(serviceAccounts[0]);
var response = await _client.GetAsync($"/service-accounts/{serviceAccounts[0].Id}/sm-counts");
response.EnsureSuccessStatusCode();
var result = await response.Content.ReadFromJsonAsync<ServiceAccountCountsResponseModel>();
Assert.NotNull(result);
Assert.Equal(0, result.Projects);
Assert.Equal(0, result.People);
Assert.Equal(0, result.AccessTokens);
}
[Theory]
[InlineData(PermissionType.RunAsAdmin)]
[InlineData(PermissionType.RunAsUserWithPermission)]
public async Task GetByServiceAccountAsync_Success(PermissionType permissionType)
{
var (projects, org, user) = await SetupProjectsWithAccessAsync(permissionType);
var serviceAccounts = await CreateServiceAccountsAsync(org.Id);
await CreateServiceAccountProjectAccessPolicyAsync(projects[0].Id, serviceAccounts[0].Id);
await CreateServiceAccountProjectAccessPolicyAsync(projects[0].Id, serviceAccounts[1].Id);
await CreateServiceAccountProjectAccessPolicyAsync(projects[1].Id, serviceAccounts[0].Id);
await CreateUserServiceAccountAccessPolicyAsync(user.Id, serviceAccounts[0].Id);
var groups = await CreateGroupsAsync(org.Id, user);
await CreateGroupServiceAccountAccessPolicyAsync(groups[0].Id, serviceAccounts[0].Id);
await CreateGroupServiceAccountAccessPolicyAsync(groups[0].Id, serviceAccounts[1].Id);
var (_, user2) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
await CreateUserServiceAccountAccessPolicyAsync(user2.Id, serviceAccounts[0].Id);
var apiKeys = await CreateApiKeysAsync(serviceAccounts[0]);
await CreateApiKeysAsync(serviceAccounts[1]);
var response = await _client.GetAsync($"/service-accounts/{serviceAccounts[0].Id}/sm-counts");
response.EnsureSuccessStatusCode();
var result = await response.Content.ReadFromJsonAsync<ServiceAccountCountsResponseModel>();
Assert.NotNull(result);
Assert.Equal(2, result.Projects);
Assert.Equal(3, result.People);
Assert.Equal(apiKeys.Count, result.AccessTokens);
}
private async Task<List<Project>> CreateProjectsAsync(Guid orgId, int numberToCreate = 3)
{
var projects = new List<Project>();
for (var i = 0; i < numberToCreate; i++)
{
var project = await _projectRepository.CreateAsync(new Project
{
OrganizationId = orgId,
Name = _mockEncryptedString,
});
projects.Add(project);
}
return projects;
}
private async Task<List<Secret>> CreateSecretsAsync(Guid organizationId, Project? project, int numberToCreate = 3)
{
var secrets = new List<Secret>();
for (var i = 0; i < numberToCreate; i++)
{
var secret = await _secretRepository.CreateAsync(new Secret
{
OrganizationId = organizationId,
Key = _mockEncryptedString,
Value = _mockEncryptedString,
Note = _mockEncryptedString,
Projects = project != null ? new List<Project> { project } : null
});
secrets.Add(secret);
}
return secrets;
}
private async Task<List<ServiceAccount>> CreateServiceAccountsAsync(Guid organizationId, int numberToCreate = 3)
{
var serviceAccounts = new List<ServiceAccount>();
for (var i = 0; i < numberToCreate; i++)
{
var serviceAccount = await _serviceAccountRepository.CreateAsync(new ServiceAccount
{
OrganizationId = organizationId,
Name = _mockEncryptedString
});
serviceAccounts.Add(serviceAccount);
}
return serviceAccounts;
}
private async Task<List<Group>> CreateGroupsAsync(Guid organizationId, OrganizationUser? user,
int numberToCreate = 3)
{
var groups = new List<Group>();
for (var i = 0; i < numberToCreate; i++)
{
var group = await _groupRepository.CreateAsync(new Group
{
OrganizationId = organizationId,
Name = _mockEncryptedString,
});
groups.Add(group);
if (user != null)
{
await _organizationUserRepository.UpdateGroupsAsync(user.Id, [group.Id]);
}
}
return groups;
}
private async Task<List<ApiKey>> CreateApiKeysAsync(ServiceAccount serviceAccount, int numberToCreate = 3)
{
var apiKeys = new List<ApiKey>();
for (var i = 0; i < numberToCreate; i++)
{
var apiKey = await _apiKeyRepository.CreateAsync(new ApiKey
{
Name = _mockEncryptedString,
ServiceAccountId = serviceAccount.Id,
Scope = "api.secrets",
Key = serviceAccount.OrganizationId.ToString(),
EncryptedPayload = _mockEncryptedString,
ClientSecretHash = "807613bbf6692e6809a571bc694a4719a5aa6863f7a62bd714003ab73de588e6"
});
apiKeys.Add(apiKey);
}
return apiKeys;
}
private async Task<(List<Project>, Organization, OrganizationUser)> SetupProjectsWithAccessAsync(
PermissionType permissionType,
int projectsToCreate = 3,
bool writeAccess = false)
{
var (org, owner) = await _organizationHelper.Initialize(true, true, true);
var projects = await CreateProjectsAsync(org.Id, projectsToCreate);
var user = owner;
switch (permissionType)
{
case PermissionType.RunAsAdmin:
await _loginHelper.LoginAsync(_email);
break;
case PermissionType.RunAsUserWithPermission:
{
var (email, orgUser) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
user = orgUser;
await _loginHelper.LoginAsync(email);
foreach (var project in projects)
{
await CreateUserProjectAccessPolicyAsync(user.Id, project.Id, writeAccess);
}
break;
}
case PermissionType.RunAsServiceAccountWithPermission:
{
var apiKeyDetails = await _organizationHelper.CreateNewServiceAccountApiKeyAsync();
await _loginHelper.LoginWithApiKeyAsync(apiKeyDetails);
foreach (var project in projects)
{
await CreateServiceAccountProjectAccessPolicyAsync(project.Id, apiKeyDetails.ApiKey.ServiceAccountId!.Value);
}
break;
}
default:
throw new ArgumentOutOfRangeException(nameof(permissionType), permissionType, null);
}
return (projects, org, user);
}
private async Task CreateUserProjectAccessPolicyAsync(Guid userId, Guid projectId, bool write = false)
{
var policy = new UserProjectAccessPolicy
{
OrganizationUserId = userId,
GrantedProjectId = projectId,
Read = true,
Write = write,
};
await _accessPolicyRepository.CreateManyAsync([policy]);
}
private async Task CreateGroupProjectAccessPolicyAsync(Guid groupId, Guid projectId)
{
var policy = new GroupProjectAccessPolicy
{
GroupId = groupId,
GrantedProjectId = projectId,
Read = true,
Write = false,
};
await _accessPolicyRepository.CreateManyAsync([policy]);
}
private async Task CreateUserServiceAccountAccessPolicyAsync(Guid userId, Guid serviceAccountId)
{
var policy = new UserServiceAccountAccessPolicy
{
OrganizationUserId = userId,
GrantedServiceAccountId = serviceAccountId,
Read = true,
Write = false,
};
await _accessPolicyRepository.CreateManyAsync([policy]);
}
private async Task CreateGroupServiceAccountAccessPolicyAsync(Guid groupId, Guid serviceAccountId)
{
var policy = new GroupServiceAccountAccessPolicy
{
GroupId = groupId,
GrantedServiceAccountId = serviceAccountId,
Read = true,
Write = false
};
await _accessPolicyRepository.CreateManyAsync([policy]);
}
private async Task CreateServiceAccountProjectAccessPolicyAsync(Guid projectId, Guid serviceAccountId)
{
var policy = new ServiceAccountProjectAccessPolicy
{
ServiceAccountId = serviceAccountId,
GrantedProjectId = projectId,
Read = true,
Write = false,
};
await _accessPolicyRepository.CreateManyAsync([policy]);
}
}