1
0
mirror of https://github.com/bitwarden/server.git synced 2024-12-22 16:57:36 +01:00

SM-281: Secrets Manager Trash (#2688)

This commit is contained in:
Colton Hurst 2023-02-20 13:01:49 -05:00 committed by GitHub
parent 34544f2292
commit 16bdd67cad
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
12 changed files with 525 additions and 2 deletions

View File

@ -0,0 +1,28 @@
using Bit.Core.Exceptions;
using Bit.Core.SecretsManager.Commands.Trash.Interfaces;
using Bit.Core.SecretsManager.Repositories;
namespace Bit.Commercial.Core.SecretsManager.Commands.Trash;
public class EmptyTrashCommand : IEmptyTrashCommand
{
private readonly ISecretRepository _secretRepository;
public EmptyTrashCommand(ISecretRepository secretRepository)
{
_secretRepository = secretRepository;
}
public async Task EmptyTrash(Guid organizationId, List<Guid> ids)
{
var secrets = await _secretRepository.GetManyByOrganizationIdInTrashByIdsAsync(organizationId, ids);
var missingId = ids.Except(secrets.Select(_ => _.Id)).Any();
if (missingId)
{
throw new NotFoundException();
}
await _secretRepository.HardDeleteManyByIdAsync(ids);
}
}

View File

@ -0,0 +1,28 @@
using Bit.Core.Exceptions;
using Bit.Core.SecretsManager.Commands.Trash.Interfaces;
using Bit.Core.SecretsManager.Repositories;
namespace Bit.Commercial.Core.SecretsManager.Commands.Trash;
public class RestoreTrashCommand : IRestoreTrashCommand
{
private readonly ISecretRepository _secretRepository;
public RestoreTrashCommand(ISecretRepository secretRepository)
{
_secretRepository = secretRepository;
}
public async Task RestoreTrash(Guid organizationId, List<Guid> ids)
{
var secrets = await _secretRepository.GetManyByOrganizationIdInTrashByIdsAsync(organizationId, ids);
var missingId = ids.Except(secrets.Select(_ => _.Id)).Any();
if (missingId)
{
throw new NotFoundException();
}
await _secretRepository.RestoreManyByIdAsync(ids);
}
}

View File

@ -4,12 +4,14 @@ using Bit.Commercial.Core.SecretsManager.Commands.Porting;
using Bit.Commercial.Core.SecretsManager.Commands.Projects;
using Bit.Commercial.Core.SecretsManager.Commands.Secrets;
using Bit.Commercial.Core.SecretsManager.Commands.ServiceAccounts;
using Bit.Commercial.Core.SecretsManager.Commands.Trash;
using Bit.Core.SecretsManager.Commands.AccessPolicies.Interfaces;
using Bit.Core.SecretsManager.Commands.AccessTokens.Interfaces;
using Bit.Core.SecretsManager.Commands.Porting.Interfaces;
using Bit.Core.SecretsManager.Commands.Projects.Interfaces;
using Bit.Core.SecretsManager.Commands.Secrets.Interfaces;
using Bit.Core.SecretsManager.Commands.ServiceAccounts.Interfaces;
using Bit.Core.SecretsManager.Commands.Trash.Interfaces;
using Microsoft.Extensions.DependencyInjection;
namespace Bit.Commercial.Core.SecretsManager;
@ -32,5 +34,7 @@ public static class SecretsManagerCollectionExtensions
services.AddScoped<IUpdateAccessPolicyCommand, UpdateAccessPolicyCommand>();
services.AddScoped<IDeleteAccessPolicyCommand, DeleteAccessPolicyCommand>();
services.AddScoped<IImportCommand, ImportCommand>();
services.AddScoped<IEmptyTrashCommand, EmptyTrashCommand>();
services.AddScoped<IRestoreTrashCommand, RestoreTrashCommand>();
}
}

View File

@ -8,7 +8,6 @@ using Bit.Infrastructure.EntityFramework.SecretsManager.Models;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.DependencyInjection;
namespace Bit.Commercial.Infrastructure.EntityFramework.SecretsManager.Repositories;
public class SecretRepository : Repository<Core.SecretsManager.Entities.Secret, Secret, Guid>, ISecretRepository
@ -72,6 +71,36 @@ public class SecretRepository : Repository<Core.SecretsManager.Entities.Secret,
return Mapper.Map<List<Core.SecretsManager.Entities.Secret>>(secrets);
}
public async Task<IEnumerable<Core.SecretsManager.Entities.Secret>> GetManyByOrganizationIdInTrashByIdsAsync(Guid organizationId, IEnumerable<Guid> ids)
{
using (var scope = ServiceScopeFactory.CreateScope())
{
var dbContext = GetDatabaseContext(scope);
var secrets = await dbContext.Secret
.Where(s => ids.Contains(s.Id) && s.OrganizationId == organizationId && s.DeletedDate != null)
.Include("Projects")
.OrderBy(c => c.RevisionDate)
.ToListAsync();
return Mapper.Map<List<Core.SecretsManager.Entities.Secret>>(secrets);
}
}
public async Task<IEnumerable<Core.SecretsManager.Entities.Secret>> GetManyByOrganizationIdInTrashAsync(Guid organizationId)
{
using (var scope = ServiceScopeFactory.CreateScope())
{
var dbContext = GetDatabaseContext(scope);
var secrets = await dbContext.Secret
.Where(c => c.OrganizationId == organizationId && c.DeletedDate != null)
.Include("Projects")
.OrderBy(c => c.RevisionDate)
.ToListAsync();
return Mapper.Map<List<Core.SecretsManager.Entities.Secret>>(secrets);
}
}
public async Task<IEnumerable<Core.SecretsManager.Entities.Secret>> GetManyByProjectIdAsync(Guid projectId, Guid userId, AccessClientType accessType)
{
using (var scope = ServiceScopeFactory.CreateScope())
@ -168,7 +197,6 @@ public class SecretRepository : Repository<Core.SecretsManager.Entities.Secret,
using (var scope = ServiceScopeFactory.CreateScope())
{
var dbContext = GetDatabaseContext(scope);
var utcNow = DateTime.UtcNow;
var secrets = dbContext.Secret.Where(c => ids.Contains(c.Id));
await secrets.ForEachAsync(secret =>
{
@ -179,6 +207,21 @@ public class SecretRepository : Repository<Core.SecretsManager.Entities.Secret,
}
}
public async Task RestoreManyByIdAsync(IEnumerable<Guid> ids)
{
using (var scope = ServiceScopeFactory.CreateScope())
{
var dbContext = GetDatabaseContext(scope);
var secrets = dbContext.Secret.Where(c => ids.Contains(c.Id));
await secrets.ForEachAsync(secret =>
{
dbContext.Attach(secret);
secret.DeletedDate = null;
});
await dbContext.SaveChangesAsync();
}
}
public async Task<IEnumerable<Core.SecretsManager.Entities.Secret>> ImportAsync(IEnumerable<Core.SecretsManager.Entities.Secret> secrets)
{
using (var scope = ServiceScopeFactory.CreateScope())

View File

@ -0,0 +1,48 @@
using Bit.Commercial.Core.SecretsManager.Commands.Trash;
using Bit.Core.Exceptions;
using Bit.Core.SecretsManager.Entities;
using Bit.Core.SecretsManager.Repositories;
using Bit.Core.Test.SecretsManager.AutoFixture.ProjectsFixture;
using Bit.Test.Common.AutoFixture;
using Bit.Test.Common.AutoFixture.Attributes;
using NSubstitute;
using Xunit;
namespace Bit.Commercial.Core.Test.SecretsManager.Trash;
[SutProviderCustomize]
[ProjectCustomize]
public class EmptyTrashCommandTests
{
[Theory]
[BitAutoData]
public async Task EmptyTrash_Throws_NotFoundException(Guid orgId, Secret s1, Secret s2, SutProvider<EmptyTrashCommand> sutProvider)
{
s1.DeletedDate = DateTime.Now;
var ids = new List<Guid> { s1.Id, s2.Id };
sutProvider.GetDependency<ISecretRepository>()
.GetManyByOrganizationIdInTrashByIdsAsync(orgId, ids)
.Returns(new List<Secret> { s1 });
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.EmptyTrash(orgId, ids));
await sutProvider.GetDependency<ISecretRepository>().DidNotReceiveWithAnyArgs().RestoreManyByIdAsync(default);
}
[Theory]
[BitAutoData]
public async Task EmptyTrash_Success(Guid orgId, Secret s1, Secret s2, SutProvider<EmptyTrashCommand> sutProvider)
{
s1.DeletedDate = DateTime.Now;
var ids = new List<Guid> { s1.Id, s2.Id };
sutProvider.GetDependency<ISecretRepository>()
.GetManyByOrganizationIdInTrashByIdsAsync(orgId, ids)
.Returns(new List<Secret> { s1, s2 });
await sutProvider.Sut.EmptyTrash(orgId, ids);
await sutProvider.GetDependency<ISecretRepository>().Received(1).HardDeleteManyByIdAsync(ids);
}
}

View File

@ -0,0 +1,48 @@
using Bit.Commercial.Core.SecretsManager.Commands.Trash;
using Bit.Core.Exceptions;
using Bit.Core.SecretsManager.Entities;
using Bit.Core.SecretsManager.Repositories;
using Bit.Core.Test.SecretsManager.AutoFixture.ProjectsFixture;
using Bit.Test.Common.AutoFixture;
using Bit.Test.Common.AutoFixture.Attributes;
using NSubstitute;
using Xunit;
namespace Bit.Commercial.Core.Test.SecretsManager.Trash;
[SutProviderCustomize]
[ProjectCustomize]
public class RestoreTrashCommandTests
{
[Theory]
[BitAutoData]
public async Task RestoreTrash_Throws_NotFoundException(Guid orgId, Secret s1, Secret s2, SutProvider<RestoreTrashCommand> sutProvider)
{
s1.DeletedDate = DateTime.Now;
var ids = new List<Guid> { s1.Id, s2.Id };
sutProvider.GetDependency<ISecretRepository>()
.GetManyByOrganizationIdInTrashByIdsAsync(orgId, ids)
.Returns(new List<Secret> { s1 });
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.RestoreTrash(orgId, ids));
await sutProvider.GetDependency<ISecretRepository>().DidNotReceiveWithAnyArgs().RestoreManyByIdAsync(default);
}
[Theory]
[BitAutoData]
public async Task RestoreTrash_Success(Guid orgId, Secret s1, Secret s2, SutProvider<RestoreTrashCommand> sutProvider)
{
s1.DeletedDate = DateTime.Now;
var ids = new List<Guid> { s1.Id, s2.Id };
sutProvider.GetDependency<ISecretRepository>()
.GetManyByOrganizationIdInTrashByIdsAsync(orgId, ids)
.Returns(new List<Secret> { s1, s2 });
await sutProvider.Sut.RestoreTrash(orgId, ids);
await sutProvider.GetDependency<ISecretRepository>().Received(1).RestoreManyByIdAsync(ids);
}
}

View File

@ -70,6 +70,7 @@ public class SecretsController : Controller
public async Task<SecretResponseModel> GetAsync([FromRoute] Guid id)
{
var secret = await _secretRepository.GetByIdAsync(id);
if (secret == null || !_currentContext.AccessSecretsManager(secret.OrganizationId))
{
throw new NotFoundException();

View File

@ -0,0 +1,80 @@
using Bit.Api.SecretsManager.Models.Response;
using Bit.Core.Context;
using Bit.Core.Exceptions;
using Bit.Core.SecretsManager.Commands.Trash.Interfaces;
using Bit.Core.SecretsManager.Repositories;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
namespace Bit.Api.SecretsManager.Controllers;
[SecretsManager]
[Authorize("secrets")]
public class TrashController : Controller
{
private readonly ICurrentContext _currentContext;
private readonly ISecretRepository _secretRepository;
private readonly IEmptyTrashCommand _emptyTrashCommand;
private readonly IRestoreTrashCommand _restoreTrashCommand;
public TrashController(
ICurrentContext currentContext,
ISecretRepository secretRepository,
IEmptyTrashCommand emptyTrashCommand,
IRestoreTrashCommand restoreTrashCommand)
{
_currentContext = currentContext;
_secretRepository = secretRepository;
_emptyTrashCommand = emptyTrashCommand;
_restoreTrashCommand = restoreTrashCommand;
}
[HttpGet("secrets/{organizationId}/trash")]
public async Task<SecretWithProjectsListResponseModel> ListByOrganizationAsync(Guid organizationId)
{
if (!_currentContext.AccessSecretsManager(organizationId))
{
throw new NotFoundException();
}
if (!await _currentContext.OrganizationAdmin(organizationId))
{
throw new UnauthorizedAccessException();
}
var secrets = await _secretRepository.GetManyByOrganizationIdInTrashAsync(organizationId);
return new SecretWithProjectsListResponseModel(secrets);
}
[HttpPost("secrets/{organizationId}/trash/empty")]
public async Task EmptyTrashAsync(Guid organizationId, [FromBody] List<Guid> ids)
{
if (!_currentContext.AccessSecretsManager(organizationId))
{
throw new NotFoundException();
}
if (!await _currentContext.OrganizationAdmin(organizationId))
{
throw new UnauthorizedAccessException();
}
await _emptyTrashCommand.EmptyTrash(organizationId, ids);
}
[HttpPost("secrets/{organizationId}/trash/restore")]
public async Task RestoreTrashAsync(Guid organizationId, [FromBody] List<Guid> ids)
{
if (!_currentContext.AccessSecretsManager(organizationId))
{
throw new NotFoundException();
}
if (!await _currentContext.OrganizationAdmin(organizationId))
{
throw new UnauthorizedAccessException();
}
await _restoreTrashCommand.RestoreTrash(organizationId, ids);
}
}

View File

@ -0,0 +1,7 @@
namespace Bit.Core.SecretsManager.Commands.Trash.Interfaces;
public interface IEmptyTrashCommand
{
Task EmptyTrash(Guid organizationId, List<Guid> ids);
}

View File

@ -0,0 +1,6 @@
namespace Bit.Core.SecretsManager.Commands.Trash.Interfaces;
public interface IRestoreTrashCommand
{
Task RestoreTrash(Guid organizationId, List<Guid> ids);
}

View File

@ -6,6 +6,8 @@ namespace Bit.Core.SecretsManager.Repositories;
public interface ISecretRepository
{
Task<IEnumerable<Secret>> GetManyByOrganizationIdAsync(Guid organizationId, Guid userId, AccessClientType accessType);
Task<IEnumerable<Secret>> GetManyByOrganizationIdInTrashAsync(Guid organizationId);
Task<IEnumerable<Secret>> GetManyByOrganizationIdInTrashByIdsAsync(Guid organizationId, IEnumerable<Guid> ids);
Task<IEnumerable<Secret>> GetManyByIds(IEnumerable<Guid> ids);
Task<IEnumerable<Secret>> GetManyByProjectIdAsync(Guid projectId, Guid userId, AccessClientType accessType);
Task<Secret> GetByIdAsync(Guid id);
@ -13,5 +15,6 @@ public interface ISecretRepository
Task<Secret> UpdateAsync(Secret secret);
Task SoftDeleteManyByIdAsync(IEnumerable<Guid> ids);
Task HardDeleteManyByIdAsync(IEnumerable<Guid> ids);
Task RestoreManyByIdAsync(IEnumerable<Guid> ids);
Task<IEnumerable<Secret>> ImportAsync(IEnumerable<Secret> secrets);
}

View File

@ -0,0 +1,227 @@
using System.Net;
using System.Net.Http.Headers;
using Bit.Api.IntegrationTest.Factories;
using Bit.Api.SecretsManager.Models.Response;
using Bit.Core.Enums;
using Bit.Core.SecretsManager.Repositories;
using Xunit;
using Secret = Bit.Core.SecretsManager.Entities.Secret;
namespace Bit.Api.IntegrationTest.SecretsManager.Controllers;
public class SecretsTrashControllerTest : IClassFixture<ApiApplicationFactory>, IAsyncLifetime
{
private readonly string _mockEncryptedString =
"2.3Uk+WNBIoU5xzmVFNcoWzz==|1MsPIYuRfdOHfu/0uY6H2Q==|/98sp4wb6pHP1VTZ9JcNCYgQjEUMFPlqJgCwRk1YXKg=";
private readonly HttpClient _client;
private readonly ApiApplicationFactory _factory;
private readonly ISecretRepository _secretRepository;
private string _email = null!;
private SecretsManagerOrganizationHelper _organizationHelper = null!;
public SecretsTrashControllerTest(ApiApplicationFactory factory)
{
_factory = factory;
_client = _factory.CreateClient();
_secretRepository = _factory.GetService<ISecretRepository>();
}
public async Task InitializeAsync()
{
_email = $"integration-test{Guid.NewGuid()}@bitwarden.com";
await _factory.LoginWithNewAccount(_email);
_organizationHelper = new SecretsManagerOrganizationHelper(_factory, _email);
}
public Task DisposeAsync()
{
_client.Dispose();
return Task.CompletedTask;
}
private async Task LoginAsync(string email)
{
var tokens = await _factory.LoginAsync(email);
_client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokens.Token);
}
[Theory]
[InlineData(false, false)]
[InlineData(true, false)]
[InlineData(false, true)]
public async Task ListByOrganization_SmNotEnabled_NotFound(bool useSecrets, bool accessSecrets)
{
var (org, _) = await _organizationHelper.Initialize(useSecrets, accessSecrets);
await LoginAsync(_email);
var response = await _client.GetAsync($"/secrets/{org.Id}/trash");
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
}
[Fact]
public async Task ListByOrganization_NotAdmin_Unauthorized()
{
var (org, _) = await _organizationHelper.Initialize(true, true);
var (email, _) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
await LoginAsync(email);
var response = await _client.GetAsync($"/secrets/{org.Id}/trash");
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
}
[Fact]
public async Task ListByOrganization_Success()
{
var (org, _) = await _organizationHelper.Initialize(true, true);
await LoginAsync(_email);
await _secretRepository.CreateAsync(new Secret
{
OrganizationId = org.Id,
Key = _mockEncryptedString,
Value = _mockEncryptedString,
DeletedDate = DateTime.Now,
});
await _secretRepository.CreateAsync(new Secret
{
OrganizationId = org.Id,
Key = _mockEncryptedString,
Value = _mockEncryptedString,
});
var response = await _client.GetAsync($"/secrets/{org.Id}/trash");
response.EnsureSuccessStatusCode();
var result = await response.Content.ReadFromJsonAsync<SecretWithProjectsListResponseModel>();
Assert.Single(result!.Secrets);
}
[Theory]
[InlineData(false, false)]
[InlineData(true, false)]
[InlineData(false, true)]
public async Task Empty_SmNotEnabled_NotFound(bool useSecrets, bool accessSecrets)
{
var (org, _) = await _organizationHelper.Initialize(useSecrets, accessSecrets);
await LoginAsync(_email);
var ids = new List<Guid> { Guid.NewGuid() };
var response = await _client.PostAsJsonAsync($"/secrets/{org.Id}/trash/empty", ids);
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
}
[Fact]
public async Task Empty_NotAdmin_Unauthorized()
{
var (org, _) = await _organizationHelper.Initialize(true, true);
var (email, _) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
await LoginAsync(email);
var ids = new List<Guid> { Guid.NewGuid() };
var response = await _client.PostAsJsonAsync($"/secrets/{org.Id}/trash/empty", ids);
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
}
[Fact]
public async Task Empty_Invalid_NotFound()
{
var (org, _) = await _organizationHelper.Initialize(true, true);
await LoginAsync(_email);
var secret = await _secretRepository.CreateAsync(new Secret
{
OrganizationId = org.Id,
Key = _mockEncryptedString,
Value = _mockEncryptedString
});
var ids = new List<Guid> { secret.Id };
var response = await _client.PostAsJsonAsync($"/secrets/{org.Id}/trash/empty", ids);
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
}
[Fact]
public async Task Empty_Success()
{
var (org, _) = await _organizationHelper.Initialize(true, true);
await LoginAsync(_email);
var secret = await _secretRepository.CreateAsync(new Secret
{
OrganizationId = org.Id,
Key = _mockEncryptedString,
Value = _mockEncryptedString,
DeletedDate = DateTime.Now,
});
var ids = new List<Guid> { secret.Id };
var response = await _client.PostAsJsonAsync($"/secrets/{org.Id}/trash/empty", ids);
response.EnsureSuccessStatusCode();
}
[Theory]
[InlineData(false, false)]
[InlineData(true, false)]
[InlineData(false, true)]
public async Task Restore_SmNotEnabled_NotFound(bool useSecrets, bool accessSecrets)
{
var (org, _) = await _organizationHelper.Initialize(useSecrets, accessSecrets);
await LoginAsync(_email);
var ids = new List<Guid> { Guid.NewGuid() };
var response = await _client.PostAsJsonAsync($"/secrets/{org.Id}/trash/restore", ids);
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
}
[Fact]
public async Task Restore_NotAdmin_Unauthorized()
{
var (org, _) = await _organizationHelper.Initialize(true, true);
var (email, _) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
await LoginAsync(email);
var ids = new List<Guid> { Guid.NewGuid() };
var response = await _client.PostAsJsonAsync($"/secrets/{org.Id}/trash/restore", ids);
Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
}
[Fact]
public async Task Restore_Invalid_NotFound()
{
var (org, _) = await _organizationHelper.Initialize(true, true);
await LoginAsync(_email);
var secret = await _secretRepository.CreateAsync(new Secret
{
OrganizationId = org.Id,
Key = _mockEncryptedString,
Value = _mockEncryptedString
});
var ids = new List<Guid> { secret.Id };
var response = await _client.PostAsJsonAsync($"/secrets/{org.Id}/trash/restore", ids);
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
}
[Fact]
public async Task Restore_Success()
{
var (org, _) = await _organizationHelper.Initialize(true, true);
await LoginAsync(_email);
var secret = await _secretRepository.CreateAsync(new Secret
{
OrganizationId = org.Id,
Key = _mockEncryptedString,
Value = _mockEncryptedString,
DeletedDate = DateTime.Now,
});
var ids = new List<Guid> { secret.Id };
var response = await _client.PostAsJsonAsync($"/secrets/{org.Id}/trash/restore", ids);
response.EnsureSuccessStatusCode();
}
}