mirror of
https://github.com/bitwarden/server.git
synced 2024-11-25 12:45:18 +01:00
[SM-707] Refactor authorization for Access Policy Commands (#2905)
* Extract authorization from access policy commands * Use auto mapper to ignore unwanted properties ---------
This commit is contained in:
parent
d6a45d4802
commit
1d9aeb37aa
@ -0,0 +1,266 @@
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.SecretsManager.AuthorizationRequirements;
|
||||
using Bit.Core.SecretsManager.Entities;
|
||||
using Bit.Core.SecretsManager.Queries.Interfaces;
|
||||
using Bit.Core.SecretsManager.Repositories;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
|
||||
namespace Bit.Commercial.Core.SecretsManager.AuthorizationHandlers.AccessPolicies;
|
||||
|
||||
public class AccessPolicyAuthorizationHandler : AuthorizationHandler<AccessPolicyOperationRequirement, BaseAccessPolicy>
|
||||
{
|
||||
private readonly ICurrentContext _currentContext;
|
||||
private readonly IAccessClientQuery _accessClientQuery;
|
||||
private readonly IGroupRepository _groupRepository;
|
||||
private readonly IOrganizationUserRepository _organizationUserRepository;
|
||||
private readonly IProjectRepository _projectRepository;
|
||||
private readonly IServiceAccountRepository _serviceAccountRepository;
|
||||
|
||||
public AccessPolicyAuthorizationHandler(ICurrentContext currentContext,
|
||||
IAccessClientQuery accessClientQuery,
|
||||
IGroupRepository groupRepository,
|
||||
IOrganizationUserRepository organizationUserRepository,
|
||||
IProjectRepository projectRepository,
|
||||
IServiceAccountRepository serviceAccountRepository)
|
||||
{
|
||||
_currentContext = currentContext;
|
||||
_accessClientQuery = accessClientQuery;
|
||||
_groupRepository = groupRepository;
|
||||
_organizationUserRepository = organizationUserRepository;
|
||||
_projectRepository = projectRepository;
|
||||
_serviceAccountRepository = serviceAccountRepository;
|
||||
}
|
||||
|
||||
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
|
||||
AccessPolicyOperationRequirement requirement,
|
||||
BaseAccessPolicy resource)
|
||||
{
|
||||
switch (requirement)
|
||||
{
|
||||
case not null when requirement == AccessPolicyOperations.Create:
|
||||
await CanCreateAccessPolicyAsync(context, requirement, resource);
|
||||
break;
|
||||
case not null when requirement == AccessPolicyOperations.Update:
|
||||
await CanUpdateAccessPolicyAsync(context, requirement, resource);
|
||||
break;
|
||||
case not null when requirement == AccessPolicyOperations.Delete:
|
||||
await CanDeleteAccessPolicyAsync(context, requirement, resource);
|
||||
break;
|
||||
default:
|
||||
throw new ArgumentException("Unsupported operation requirement type provided.",
|
||||
nameof(requirement));
|
||||
}
|
||||
}
|
||||
|
||||
private async Task CanCreateAccessPolicyAsync(AuthorizationHandlerContext context,
|
||||
AccessPolicyOperationRequirement requirement, BaseAccessPolicy resource)
|
||||
{
|
||||
switch (resource)
|
||||
{
|
||||
case UserProjectAccessPolicy ap:
|
||||
await CanCreateAsync(context, requirement, ap);
|
||||
break;
|
||||
case GroupProjectAccessPolicy ap:
|
||||
await CanCreateAsync(context, requirement, ap);
|
||||
break;
|
||||
case ServiceAccountProjectAccessPolicy ap:
|
||||
await CanCreateAsync(context, requirement, ap);
|
||||
break;
|
||||
case UserServiceAccountAccessPolicy ap:
|
||||
await CanCreateAsync(context, requirement, ap);
|
||||
break;
|
||||
case GroupServiceAccountAccessPolicy ap:
|
||||
await CanCreateAsync(context, requirement, ap);
|
||||
break;
|
||||
default:
|
||||
throw new ArgumentException("Unsupported access policy type provided.");
|
||||
}
|
||||
}
|
||||
|
||||
private async Task CanUpdateAccessPolicyAsync(AuthorizationHandlerContext context,
|
||||
AccessPolicyOperationRequirement requirement, BaseAccessPolicy resource)
|
||||
{
|
||||
var access = await GetAccessPolicyAccessAsync(context, resource);
|
||||
|
||||
if (access.Write)
|
||||
{
|
||||
context.Succeed(requirement);
|
||||
}
|
||||
}
|
||||
|
||||
private async Task CanDeleteAccessPolicyAsync(AuthorizationHandlerContext context,
|
||||
AccessPolicyOperationRequirement requirement, BaseAccessPolicy resource)
|
||||
{
|
||||
var access = await GetAccessPolicyAccessAsync(context, resource);
|
||||
|
||||
if (access.Write)
|
||||
{
|
||||
context.Succeed(requirement);
|
||||
}
|
||||
}
|
||||
|
||||
private async Task CanCreateAsync(AuthorizationHandlerContext context,
|
||||
AccessPolicyOperationRequirement requirement, UserProjectAccessPolicy resource)
|
||||
{
|
||||
var user = await _organizationUserRepository.GetByIdAsync(resource.OrganizationUserId!.Value);
|
||||
if (user.OrganizationId != resource.GrantedProject?.OrganizationId)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
var access = await GetAccessAsync(context, resource.GrantedProject!.OrganizationId, resource.GrantedProjectId);
|
||||
|
||||
if (access.Write)
|
||||
{
|
||||
context.Succeed(requirement);
|
||||
}
|
||||
}
|
||||
|
||||
private async Task CanCreateAsync(AuthorizationHandlerContext context,
|
||||
AccessPolicyOperationRequirement requirement, GroupProjectAccessPolicy resource)
|
||||
{
|
||||
var group = await _groupRepository.GetByIdAsync(resource.GroupId!.Value);
|
||||
if (group.OrganizationId != resource.GrantedProject?.OrganizationId)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
var access = await GetAccessAsync(context, resource.GrantedProject!.OrganizationId, resource.GrantedProjectId);
|
||||
|
||||
if (access.Write)
|
||||
{
|
||||
context.Succeed(requirement);
|
||||
}
|
||||
}
|
||||
|
||||
private async Task CanCreateAsync(AuthorizationHandlerContext context,
|
||||
AccessPolicyOperationRequirement requirement, ServiceAccountProjectAccessPolicy resource)
|
||||
{
|
||||
var projectOrganizationId = resource.GrantedProject?.OrganizationId;
|
||||
var serviceAccountOrgId = resource.ServiceAccount?.OrganizationId;
|
||||
|
||||
if (projectOrganizationId == null)
|
||||
{
|
||||
var project = await _projectRepository.GetByIdAsync(resource.GrantedProjectId!.Value);
|
||||
projectOrganizationId = project?.OrganizationId;
|
||||
}
|
||||
|
||||
if (serviceAccountOrgId == null)
|
||||
{
|
||||
var serviceAccount = await _serviceAccountRepository.GetByIdAsync(resource.ServiceAccountId!.Value);
|
||||
serviceAccountOrgId = serviceAccount?.OrganizationId;
|
||||
}
|
||||
|
||||
if (!serviceAccountOrgId.HasValue || !projectOrganizationId.HasValue ||
|
||||
serviceAccountOrgId != projectOrganizationId)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
var access = await GetAccessAsync(context, projectOrganizationId.Value, resource.GrantedProjectId,
|
||||
resource.ServiceAccountId);
|
||||
|
||||
if (access.Write)
|
||||
{
|
||||
context.Succeed(requirement);
|
||||
}
|
||||
}
|
||||
|
||||
private async Task CanCreateAsync(AuthorizationHandlerContext context,
|
||||
AccessPolicyOperationRequirement requirement, UserServiceAccountAccessPolicy resource)
|
||||
{
|
||||
var user = await _organizationUserRepository.GetByIdAsync(resource.OrganizationUserId!.Value);
|
||||
if (user.OrganizationId != resource.GrantedServiceAccount!.OrganizationId)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
var access = await GetAccessAsync(context, resource.GrantedServiceAccount!.OrganizationId,
|
||||
serviceAccountIdToCheck: resource.GrantedServiceAccountId);
|
||||
|
||||
if (access.Write)
|
||||
{
|
||||
context.Succeed(requirement);
|
||||
}
|
||||
}
|
||||
|
||||
private async Task CanCreateAsync(AuthorizationHandlerContext context,
|
||||
AccessPolicyOperationRequirement requirement, GroupServiceAccountAccessPolicy resource)
|
||||
{
|
||||
var group = await _groupRepository.GetByIdAsync(resource.GroupId!.Value);
|
||||
if (group.OrganizationId != resource.GrantedServiceAccount!.OrganizationId)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
var access = await GetAccessAsync(context, resource.GrantedServiceAccount!.OrganizationId,
|
||||
serviceAccountIdToCheck: resource.GrantedServiceAccountId);
|
||||
|
||||
if (access.Write)
|
||||
{
|
||||
context.Succeed(requirement);
|
||||
}
|
||||
}
|
||||
|
||||
private async Task<(bool Read, bool Write)> GetAccessPolicyAccessAsync(AuthorizationHandlerContext context,
|
||||
BaseAccessPolicy resource) =>
|
||||
resource switch
|
||||
{
|
||||
UserProjectAccessPolicy ap => await GetAccessAsync(context, ap.GrantedProject!.OrganizationId,
|
||||
ap.GrantedProjectId),
|
||||
GroupProjectAccessPolicy ap => await GetAccessAsync(context, ap.GrantedProject!.OrganizationId,
|
||||
ap.GrantedProjectId),
|
||||
ServiceAccountProjectAccessPolicy ap => await GetAccessAsync(context, ap.GrantedProject!.OrganizationId,
|
||||
ap.GrantedProjectId),
|
||||
UserServiceAccountAccessPolicy ap => await GetAccessAsync(context, ap.GrantedServiceAccount!.OrganizationId,
|
||||
serviceAccountIdToCheck: ap.GrantedServiceAccountId),
|
||||
GroupServiceAccountAccessPolicy ap => await GetAccessAsync(context,
|
||||
ap.GrantedServiceAccount!.OrganizationId, serviceAccountIdToCheck: ap.GrantedServiceAccountId),
|
||||
_ => throw new ArgumentException("Unsupported access policy type provided."),
|
||||
};
|
||||
|
||||
private async Task<(bool Read, bool Write)> GetAccessAsync(AuthorizationHandlerContext context,
|
||||
Guid organizationId, Guid? projectIdToCheck = null,
|
||||
Guid? serviceAccountIdToCheck = null)
|
||||
{
|
||||
if (!_currentContext.AccessSecretsManager(organizationId))
|
||||
{
|
||||
return (false, false);
|
||||
}
|
||||
|
||||
var (accessClient, userId) = await _accessClientQuery.GetAccessClientAsync(context.User, organizationId);
|
||||
|
||||
// Only users and admins should be able to manipulate access policies
|
||||
if (accessClient != AccessClientType.User && accessClient != AccessClientType.NoAccessCheck)
|
||||
{
|
||||
return (false, false);
|
||||
}
|
||||
|
||||
if (projectIdToCheck.HasValue && serviceAccountIdToCheck.HasValue)
|
||||
{
|
||||
var projectAccess =
|
||||
await _projectRepository.AccessToProjectAsync(projectIdToCheck.Value, userId, accessClient);
|
||||
var serviceAccountAccess =
|
||||
await _serviceAccountRepository.AccessToServiceAccountAsync(serviceAccountIdToCheck.Value, userId,
|
||||
accessClient);
|
||||
return (
|
||||
projectAccess.Read && serviceAccountAccess.Read,
|
||||
projectAccess.Write && serviceAccountAccess.Write);
|
||||
}
|
||||
|
||||
if (projectIdToCheck.HasValue)
|
||||
{
|
||||
return await _projectRepository.AccessToProjectAsync(projectIdToCheck.Value, userId, accessClient);
|
||||
}
|
||||
|
||||
if (serviceAccountIdToCheck.HasValue)
|
||||
{
|
||||
return await _serviceAccountRepository.AccessToServiceAccountAsync(serviceAccountIdToCheck.Value, userId,
|
||||
accessClient);
|
||||
}
|
||||
|
||||
throw new ArgumentException("No ID to check provided.");
|
||||
}
|
||||
}
|
@ -1,5 +1,4 @@
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.SecretsManager.Commands.AccessPolicies.Interfaces;
|
||||
using Bit.Core.SecretsManager.Entities;
|
||||
using Bit.Core.SecretsManager.Repositories;
|
||||
@ -9,92 +8,18 @@ namespace Bit.Commercial.Core.SecretsManager.Commands.AccessPolicies;
|
||||
public class CreateAccessPoliciesCommand : ICreateAccessPoliciesCommand
|
||||
{
|
||||
private readonly IAccessPolicyRepository _accessPolicyRepository;
|
||||
private readonly IProjectRepository _projectRepository;
|
||||
private readonly IServiceAccountRepository _serviceAccountRepository;
|
||||
|
||||
public CreateAccessPoliciesCommand(
|
||||
IAccessPolicyRepository accessPolicyRepository,
|
||||
IProjectRepository projectRepository,
|
||||
IServiceAccountRepository serviceAccountRepository)
|
||||
public CreateAccessPoliciesCommand(IAccessPolicyRepository accessPolicyRepository)
|
||||
{
|
||||
_accessPolicyRepository = accessPolicyRepository;
|
||||
_projectRepository = projectRepository;
|
||||
_serviceAccountRepository = serviceAccountRepository;
|
||||
}
|
||||
|
||||
private static IEnumerable<Guid?> GetDistinctGrantedProjectIds(List<BaseAccessPolicy> accessPolicies)
|
||||
public async Task<IEnumerable<BaseAccessPolicy>> CreateManyAsync(List<BaseAccessPolicy> accessPolicies)
|
||||
{
|
||||
var userGrantedIds = accessPolicies.OfType<UserProjectAccessPolicy>().Select(ap => ap.GrantedProjectId);
|
||||
var groupGrantedIds = accessPolicies.OfType<GroupProjectAccessPolicy>().Select(ap => ap.GrantedProjectId);
|
||||
var saGrantedIds = accessPolicies.OfType<ServiceAccountProjectAccessPolicy>().Select(ap => ap.GrantedProjectId);
|
||||
return userGrantedIds.Concat(groupGrantedIds).Concat(saGrantedIds).Distinct();
|
||||
}
|
||||
|
||||
private static IEnumerable<Guid?> GetDistinctGrantedServiceAccountIds(List<BaseAccessPolicy> accessPolicies)
|
||||
{
|
||||
var userGrantedIds = accessPolicies.OfType<UserServiceAccountAccessPolicy>().Select(ap => ap.GrantedServiceAccountId);
|
||||
var groupGrantedIds = accessPolicies.OfType<GroupServiceAccountAccessPolicy>()
|
||||
.Select(ap => ap.GrantedServiceAccountId);
|
||||
return userGrantedIds.Concat(groupGrantedIds).Distinct();
|
||||
}
|
||||
|
||||
private static void CheckForDistinctAccessPolicies(IReadOnlyCollection<BaseAccessPolicy> accessPolicies)
|
||||
{
|
||||
var distinctAccessPolicies = accessPolicies.DistinctBy(baseAccessPolicy =>
|
||||
{
|
||||
return baseAccessPolicy switch
|
||||
{
|
||||
UserProjectAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.OrganizationUserId, ap.GrantedProjectId),
|
||||
GroupProjectAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.GroupId, ap.GrantedProjectId),
|
||||
ServiceAccountProjectAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.ServiceAccountId,
|
||||
ap.GrantedProjectId),
|
||||
UserServiceAccountAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.OrganizationUserId,
|
||||
ap.GrantedServiceAccountId),
|
||||
GroupServiceAccountAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.GroupId, ap.GrantedServiceAccountId),
|
||||
_ => throw new ArgumentException("Unsupported access policy type provided.", nameof(baseAccessPolicy)),
|
||||
};
|
||||
}).ToList();
|
||||
|
||||
if (accessPolicies.Count != distinctAccessPolicies.Count)
|
||||
{
|
||||
throw new BadRequestException("Resources must be unique");
|
||||
}
|
||||
}
|
||||
|
||||
public async Task<IEnumerable<BaseAccessPolicy>> CreateManyAsync(List<BaseAccessPolicy> accessPolicies, Guid userId, AccessClientType accessType)
|
||||
{
|
||||
CheckForDistinctAccessPolicies(accessPolicies);
|
||||
await CheckAccessPoliciesDoNotExistAsync(accessPolicies);
|
||||
await CheckCanCreateAsync(accessPolicies, userId, accessType);
|
||||
return await _accessPolicyRepository.CreateManyAsync(accessPolicies);
|
||||
}
|
||||
|
||||
private async Task CheckCanCreateAsync(List<BaseAccessPolicy> accessPolicies, Guid userId, AccessClientType accessType)
|
||||
{
|
||||
var projectIds = GetDistinctGrantedProjectIds(accessPolicies).ToList();
|
||||
var serviceAccountIds = GetDistinctGrantedServiceAccountIds(accessPolicies).ToList();
|
||||
|
||||
if (projectIds.Any())
|
||||
{
|
||||
foreach (var projectId in projectIds)
|
||||
{
|
||||
await CheckPermissionAsync(accessType, userId, projectId);
|
||||
}
|
||||
}
|
||||
if (serviceAccountIds.Any())
|
||||
{
|
||||
foreach (var serviceAccountId in serviceAccountIds)
|
||||
{
|
||||
await CheckPermissionAsync(accessType, userId, serviceAccountIdToCheck: serviceAccountId);
|
||||
}
|
||||
}
|
||||
|
||||
if (!projectIds.Any() && !serviceAccountIds.Any())
|
||||
{
|
||||
throw new BadRequestException("No granted IDs specified");
|
||||
}
|
||||
}
|
||||
|
||||
private async Task CheckAccessPoliciesDoNotExistAsync(List<BaseAccessPolicy> accessPolicies)
|
||||
{
|
||||
foreach (var accessPolicy in accessPolicies)
|
||||
@ -105,41 +30,4 @@ public class CreateAccessPoliciesCommand : ICreateAccessPoliciesCommand
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private async Task CheckPermissionAsync(AccessClientType accessClient, Guid userId, Guid? projectIdToCheck = null,
|
||||
Guid? serviceAccountIdToCheck = null)
|
||||
{
|
||||
bool hasAccess;
|
||||
switch (accessClient)
|
||||
{
|
||||
case AccessClientType.NoAccessCheck:
|
||||
hasAccess = true;
|
||||
break;
|
||||
case AccessClientType.User:
|
||||
if (projectIdToCheck.HasValue)
|
||||
{
|
||||
hasAccess = (await _projectRepository.AccessToProjectAsync(projectIdToCheck.Value, userId, accessClient)).Write;
|
||||
}
|
||||
else if (serviceAccountIdToCheck.HasValue)
|
||||
{
|
||||
hasAccess =
|
||||
await _serviceAccountRepository.UserHasWriteAccessToServiceAccount(
|
||||
serviceAccountIdToCheck.Value, userId);
|
||||
}
|
||||
else
|
||||
{
|
||||
throw new ArgumentException("No ID to check provided.");
|
||||
}
|
||||
|
||||
break;
|
||||
default:
|
||||
hasAccess = false;
|
||||
break;
|
||||
}
|
||||
|
||||
if (!hasAccess)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -1,8 +1,4 @@
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.SecretsManager.Commands.AccessPolicies.Interfaces;
|
||||
using Bit.Core.SecretsManager.Entities;
|
||||
using Bit.Core.SecretsManager.Commands.AccessPolicies.Interfaces;
|
||||
using Bit.Core.SecretsManager.Repositories;
|
||||
|
||||
namespace Bit.Commercial.Core.SecretsManager.Commands.AccessPolicies;
|
||||
@ -10,98 +6,14 @@ namespace Bit.Commercial.Core.SecretsManager.Commands.AccessPolicies;
|
||||
public class DeleteAccessPolicyCommand : IDeleteAccessPolicyCommand
|
||||
{
|
||||
private readonly IAccessPolicyRepository _accessPolicyRepository;
|
||||
private readonly ICurrentContext _currentContext;
|
||||
private readonly IProjectRepository _projectRepository;
|
||||
private readonly IServiceAccountRepository _serviceAccountRepository;
|
||||
|
||||
public DeleteAccessPolicyCommand(
|
||||
IAccessPolicyRepository accessPolicyRepository,
|
||||
ICurrentContext currentContext,
|
||||
IProjectRepository projectRepository,
|
||||
IServiceAccountRepository serviceAccountRepository)
|
||||
public DeleteAccessPolicyCommand(IAccessPolicyRepository accessPolicyRepository)
|
||||
{
|
||||
_projectRepository = projectRepository;
|
||||
_serviceAccountRepository = serviceAccountRepository;
|
||||
_accessPolicyRepository = accessPolicyRepository;
|
||||
_currentContext = currentContext;
|
||||
}
|
||||
|
||||
public async Task DeleteAsync(Guid id, Guid userId)
|
||||
public async Task DeleteAsync(Guid id)
|
||||
{
|
||||
var accessPolicy = await _accessPolicyRepository.GetByIdAsync(id);
|
||||
if (accessPolicy == null)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
if (!await IsAllowedToDeleteAsync(accessPolicy, userId))
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
await _accessPolicyRepository.DeleteAsync(id);
|
||||
}
|
||||
|
||||
private async Task<bool> IsAllowedToDeleteAsync(BaseAccessPolicy baseAccessPolicy, Guid userId) =>
|
||||
baseAccessPolicy switch
|
||||
{
|
||||
UserProjectAccessPolicy ap => await HasPermissionAsync(ap.GrantedProject!.OrganizationId, userId,
|
||||
ap.GrantedProjectId),
|
||||
GroupProjectAccessPolicy ap => await HasPermissionAsync(ap.GrantedProject!.OrganizationId, userId,
|
||||
ap.GrantedProjectId),
|
||||
ServiceAccountProjectAccessPolicy ap => await HasPermissionAsync(ap.GrantedProject!.OrganizationId,
|
||||
userId, ap.GrantedProjectId),
|
||||
UserServiceAccountAccessPolicy ap => await HasPermissionAsync(
|
||||
ap.GrantedServiceAccount!.OrganizationId,
|
||||
userId, serviceAccountIdToCheck: ap.GrantedServiceAccountId),
|
||||
GroupServiceAccountAccessPolicy ap => await HasPermissionAsync(
|
||||
ap.GrantedServiceAccount!.OrganizationId,
|
||||
userId, serviceAccountIdToCheck: ap.GrantedServiceAccountId),
|
||||
_ => throw new ArgumentException("Unsupported access policy type provided."),
|
||||
};
|
||||
|
||||
private async Task<bool> HasPermissionAsync(
|
||||
Guid organizationId,
|
||||
Guid userId,
|
||||
Guid? projectIdToCheck = null,
|
||||
Guid? serviceAccountIdToCheck = null)
|
||||
{
|
||||
if (!_currentContext.AccessSecretsManager(organizationId))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
var orgAdmin = await _currentContext.OrganizationAdmin(organizationId);
|
||||
var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
|
||||
|
||||
bool hasAccess;
|
||||
switch (accessClient)
|
||||
{
|
||||
case AccessClientType.NoAccessCheck:
|
||||
hasAccess = true;
|
||||
break;
|
||||
case AccessClientType.User:
|
||||
if (projectIdToCheck.HasValue)
|
||||
{
|
||||
hasAccess = (await _projectRepository.AccessToProjectAsync(projectIdToCheck.Value, userId, accessClient)).Write;
|
||||
}
|
||||
else if (serviceAccountIdToCheck.HasValue)
|
||||
{
|
||||
hasAccess =
|
||||
await _serviceAccountRepository.UserHasWriteAccessToServiceAccount(
|
||||
serviceAccountIdToCheck.Value, userId);
|
||||
}
|
||||
else
|
||||
{
|
||||
throw new ArgumentException("No ID to check provided.");
|
||||
}
|
||||
|
||||
break;
|
||||
default:
|
||||
hasAccess = false;
|
||||
break;
|
||||
}
|
||||
|
||||
return hasAccess;
|
||||
}
|
||||
}
|
||||
|
@ -1,6 +1,4 @@
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.SecretsManager.Commands.AccessPolicies.Interfaces;
|
||||
using Bit.Core.SecretsManager.Entities;
|
||||
using Bit.Core.SecretsManager.Repositories;
|
||||
@ -10,23 +8,13 @@ namespace Bit.Commercial.Core.SecretsManager.Commands.AccessPolicies;
|
||||
public class UpdateAccessPolicyCommand : IUpdateAccessPolicyCommand
|
||||
{
|
||||
private readonly IAccessPolicyRepository _accessPolicyRepository;
|
||||
private readonly ICurrentContext _currentContext;
|
||||
private readonly IProjectRepository _projectRepository;
|
||||
private readonly IServiceAccountRepository _serviceAccountRepository;
|
||||
|
||||
public UpdateAccessPolicyCommand(
|
||||
IAccessPolicyRepository accessPolicyRepository,
|
||||
ICurrentContext currentContext,
|
||||
IProjectRepository projectRepository,
|
||||
IServiceAccountRepository serviceAccountRepository)
|
||||
public UpdateAccessPolicyCommand(IAccessPolicyRepository accessPolicyRepository)
|
||||
{
|
||||
_accessPolicyRepository = accessPolicyRepository;
|
||||
_currentContext = currentContext;
|
||||
_projectRepository = projectRepository;
|
||||
_serviceAccountRepository = serviceAccountRepository;
|
||||
}
|
||||
|
||||
public async Task<BaseAccessPolicy> UpdateAsync(Guid id, bool read, bool write, Guid userId)
|
||||
public async Task<BaseAccessPolicy> UpdateAsync(Guid id, bool read, bool write)
|
||||
{
|
||||
var accessPolicy = await _accessPolicyRepository.GetByIdAsync(id);
|
||||
if (accessPolicy == null)
|
||||
@ -34,78 +22,10 @@ public class UpdateAccessPolicyCommand : IUpdateAccessPolicyCommand
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
if (!await IsAllowedToUpdateAsync(accessPolicy, userId))
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
accessPolicy.Read = read;
|
||||
accessPolicy.Write = write;
|
||||
accessPolicy.RevisionDate = DateTime.UtcNow;
|
||||
await _accessPolicyRepository.ReplaceAsync(accessPolicy);
|
||||
return accessPolicy;
|
||||
}
|
||||
|
||||
private async Task<bool> IsAllowedToUpdateAsync(BaseAccessPolicy baseAccessPolicy, Guid userId) =>
|
||||
baseAccessPolicy switch
|
||||
{
|
||||
UserProjectAccessPolicy ap => await HasPermissionsAsync(ap.GrantedProject!.OrganizationId, userId,
|
||||
ap.GrantedProjectId),
|
||||
GroupProjectAccessPolicy ap => await HasPermissionsAsync(ap.GrantedProject!.OrganizationId, userId,
|
||||
ap.GrantedProjectId),
|
||||
ServiceAccountProjectAccessPolicy ap => await HasPermissionsAsync(ap.GrantedProject!.OrganizationId,
|
||||
userId, ap.GrantedProjectId),
|
||||
UserServiceAccountAccessPolicy ap => await HasPermissionsAsync(
|
||||
ap.GrantedServiceAccount!.OrganizationId,
|
||||
userId, serviceAccountIdToCheck: ap.GrantedServiceAccountId),
|
||||
GroupServiceAccountAccessPolicy ap => await HasPermissionsAsync(
|
||||
ap.GrantedServiceAccount!.OrganizationId,
|
||||
userId, serviceAccountIdToCheck: ap.GrantedServiceAccountId),
|
||||
_ => throw new ArgumentException("Unsupported access policy type provided."),
|
||||
};
|
||||
|
||||
private async Task<bool> HasPermissionsAsync(
|
||||
Guid organizationId,
|
||||
Guid userId,
|
||||
Guid? projectIdToCheck = null,
|
||||
Guid? serviceAccountIdToCheck = null)
|
||||
{
|
||||
if (!_currentContext.AccessSecretsManager(organizationId))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
var orgAdmin = await _currentContext.OrganizationAdmin(organizationId);
|
||||
var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
|
||||
|
||||
bool hasAccess;
|
||||
switch (accessClient)
|
||||
{
|
||||
case AccessClientType.NoAccessCheck:
|
||||
hasAccess = true;
|
||||
break;
|
||||
case AccessClientType.User:
|
||||
if (projectIdToCheck.HasValue)
|
||||
{
|
||||
hasAccess = (await _projectRepository.AccessToProjectAsync(projectIdToCheck.Value, userId, accessClient)).Write;
|
||||
}
|
||||
else if (serviceAccountIdToCheck.HasValue)
|
||||
{
|
||||
hasAccess =
|
||||
await _serviceAccountRepository.UserHasWriteAccessToServiceAccount(
|
||||
serviceAccountIdToCheck.Value, userId);
|
||||
}
|
||||
else
|
||||
{
|
||||
throw new ArgumentException("No ID to check provided.");
|
||||
}
|
||||
|
||||
break;
|
||||
default:
|
||||
hasAccess = false;
|
||||
break;
|
||||
}
|
||||
|
||||
return hasAccess;
|
||||
}
|
||||
}
|
||||
|
@ -1,4 +1,5 @@
|
||||
using Bit.Commercial.Core.SecretsManager.AuthorizationHandlers.Projects;
|
||||
using Bit.Commercial.Core.SecretsManager.AuthorizationHandlers.AccessPolicies;
|
||||
using Bit.Commercial.Core.SecretsManager.AuthorizationHandlers.Projects;
|
||||
using Bit.Commercial.Core.SecretsManager.AuthorizationHandlers.Secrets;
|
||||
using Bit.Commercial.Core.SecretsManager.AuthorizationHandlers.ServiceAccounts;
|
||||
using Bit.Commercial.Core.SecretsManager.Commands.AccessPolicies;
|
||||
@ -29,6 +30,7 @@ public static class SecretsManagerCollectionExtensions
|
||||
services.AddScoped<IAuthorizationHandler, ProjectAuthorizationHandler>();
|
||||
services.AddScoped<IAuthorizationHandler, SecretAuthorizationHandler>();
|
||||
services.AddScoped<IAuthorizationHandler, ServiceAccountAuthorizationHandler>();
|
||||
services.AddScoped<IAuthorizationHandler, AccessPolicyAuthorizationHandler>();
|
||||
services.AddScoped<IAccessClientQuery, AccessClientQuery>();
|
||||
services.AddScoped<ICreateSecretCommand, CreateSecretCommand>();
|
||||
services.AddScoped<IUpdateSecretCommand, UpdateSecretCommand>();
|
||||
|
@ -0,0 +1,761 @@
|
||||
using System.Reflection;
|
||||
using System.Security.Claims;
|
||||
using Bit.Commercial.Core.SecretsManager.AuthorizationHandlers.AccessPolicies;
|
||||
using Bit.Commercial.Core.Test.SecretsManager.Enums;
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.SecretsManager.AuthorizationRequirements;
|
||||
using Bit.Core.SecretsManager.Entities;
|
||||
using Bit.Core.SecretsManager.Queries.Interfaces;
|
||||
using Bit.Core.SecretsManager.Repositories;
|
||||
using Bit.Core.Test.SecretsManager.AutoFixture.ProjectsFixture;
|
||||
using Bit.Test.Common.AutoFixture;
|
||||
using Bit.Test.Common.AutoFixture.Attributes;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
using NSubstitute;
|
||||
using Xunit;
|
||||
|
||||
namespace Bit.Commercial.Core.Test.SecretsManager.AuthorizationHandlers.AccessPolicies;
|
||||
|
||||
[SutProviderCustomize]
|
||||
[ProjectCustomize]
|
||||
public class AccessPolicyAuthorizationHandlerTests
|
||||
{
|
||||
private static void SetupCurrentUserPermission(SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
PermissionType permissionType, Guid organizationId, Guid userId = new())
|
||||
{
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(organizationId)
|
||||
.Returns(true);
|
||||
|
||||
switch (permissionType)
|
||||
{
|
||||
case PermissionType.RunAsAdmin:
|
||||
sutProvider.GetDependency<IAccessClientQuery>().GetAccessClientAsync(default, organizationId).ReturnsForAnyArgs(
|
||||
(AccessClientType.NoAccessCheck, userId));
|
||||
break;
|
||||
case PermissionType.RunAsUserWithPermission:
|
||||
sutProvider.GetDependency<IAccessClientQuery>().GetAccessClientAsync(default, organizationId).ReturnsForAnyArgs(
|
||||
(AccessClientType.User, userId));
|
||||
break;
|
||||
default:
|
||||
throw new ArgumentOutOfRangeException(nameof(permissionType), permissionType, null);
|
||||
}
|
||||
}
|
||||
|
||||
private static BaseAccessPolicy CreatePolicy(AccessPolicyType accessPolicyType, Project grantedProject,
|
||||
ServiceAccount grantedServiceAccount, Guid? serviceAccountId = null)
|
||||
{
|
||||
switch (accessPolicyType)
|
||||
{
|
||||
case AccessPolicyType.UserProjectAccessPolicy:
|
||||
return
|
||||
new UserProjectAccessPolicy
|
||||
{
|
||||
Id = Guid.NewGuid(),
|
||||
OrganizationUserId = Guid.NewGuid(),
|
||||
Read = true,
|
||||
Write = true,
|
||||
GrantedProjectId = grantedProject.Id,
|
||||
GrantedProject = grantedProject,
|
||||
};
|
||||
case AccessPolicyType.GroupProjectAccessPolicy:
|
||||
return
|
||||
new GroupProjectAccessPolicy
|
||||
{
|
||||
Id = Guid.NewGuid(),
|
||||
GroupId = Guid.NewGuid(),
|
||||
GrantedProjectId = grantedProject.Id,
|
||||
Read = true,
|
||||
Write = true,
|
||||
GrantedProject = grantedProject,
|
||||
};
|
||||
case AccessPolicyType.ServiceAccountProjectAccessPolicy:
|
||||
return new ServiceAccountProjectAccessPolicy
|
||||
{
|
||||
Id = Guid.NewGuid(),
|
||||
ServiceAccountId = serviceAccountId,
|
||||
GrantedProjectId = grantedProject.Id,
|
||||
Read = true,
|
||||
Write = true,
|
||||
GrantedProject = grantedProject,
|
||||
};
|
||||
case AccessPolicyType.UserServiceAccountAccessPolicy:
|
||||
return
|
||||
new UserServiceAccountAccessPolicy
|
||||
{
|
||||
Id = Guid.NewGuid(),
|
||||
OrganizationUserId = Guid.NewGuid(),
|
||||
Read = true,
|
||||
Write = true,
|
||||
GrantedServiceAccountId = grantedServiceAccount.Id,
|
||||
GrantedServiceAccount = grantedServiceAccount,
|
||||
};
|
||||
case AccessPolicyType.GroupServiceAccountAccessPolicy:
|
||||
return new GroupServiceAccountAccessPolicy
|
||||
{
|
||||
Id = Guid.NewGuid(),
|
||||
GroupId = Guid.NewGuid(),
|
||||
GrantedServiceAccountId = grantedServiceAccount.Id,
|
||||
GrantedServiceAccount = grantedServiceAccount,
|
||||
Read = true,
|
||||
Write = true,
|
||||
};
|
||||
default:
|
||||
throw new ArgumentOutOfRangeException(nameof(accessPolicyType), accessPolicyType, null);
|
||||
}
|
||||
}
|
||||
|
||||
private static void SetupMockAccess(SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
Guid userId, BaseAccessPolicy accessPolicy, bool read, bool write)
|
||||
{
|
||||
switch (accessPolicy)
|
||||
{
|
||||
case UserProjectAccessPolicy ap:
|
||||
sutProvider.GetDependency<IProjectRepository>()
|
||||
.AccessToProjectAsync(ap.GrantedProjectId!.Value, userId, Arg.Any<AccessClientType>())
|
||||
.Returns((read, write));
|
||||
break;
|
||||
case GroupProjectAccessPolicy ap:
|
||||
sutProvider.GetDependency<IProjectRepository>()
|
||||
.AccessToProjectAsync(ap.GrantedProjectId!.Value, userId, Arg.Any<AccessClientType>())
|
||||
.Returns((read, write));
|
||||
break;
|
||||
case UserServiceAccountAccessPolicy ap:
|
||||
sutProvider.GetDependency<IServiceAccountRepository>()
|
||||
.AccessToServiceAccountAsync(ap.GrantedServiceAccountId!.Value, userId, Arg.Any<AccessClientType>())
|
||||
.Returns((read, write));
|
||||
break;
|
||||
case GroupServiceAccountAccessPolicy ap:
|
||||
sutProvider.GetDependency<IServiceAccountRepository>()
|
||||
.AccessToServiceAccountAsync(ap.GrantedServiceAccountId!.Value, userId, Arg.Any<AccessClientType>())
|
||||
.Returns((read, write));
|
||||
break;
|
||||
case ServiceAccountProjectAccessPolicy ap:
|
||||
sutProvider.GetDependency<IProjectRepository>()
|
||||
.AccessToProjectAsync(ap.GrantedProjectId!.Value, userId, Arg.Any<AccessClientType>())
|
||||
.Returns((read, write));
|
||||
sutProvider.GetDependency<IServiceAccountRepository>()
|
||||
.AccessToServiceAccountAsync(ap.ServiceAccountId!.Value, userId, Arg.Any<AccessClientType>())
|
||||
.Returns((read, write));
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
private static void SetupOrganizationMismatch(SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
BaseAccessPolicy accessPolicy)
|
||||
{
|
||||
switch (accessPolicy)
|
||||
{
|
||||
case UserProjectAccessPolicy resource:
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||
.GetByIdAsync(resource.OrganizationUserId!.Value)
|
||||
.Returns(new OrganizationUser
|
||||
{
|
||||
Id = resource.OrganizationUserId!.Value,
|
||||
OrganizationId = Guid.NewGuid()
|
||||
});
|
||||
break;
|
||||
case GroupProjectAccessPolicy resource:
|
||||
sutProvider.GetDependency<IGroupRepository>().GetByIdAsync(resource.GroupId!.Value)
|
||||
.Returns(new Group { Id = resource.GroupId!.Value, OrganizationId = Guid.NewGuid() });
|
||||
break;
|
||||
case UserServiceAccountAccessPolicy resource:
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||
.GetByIdAsync(resource.OrganizationUserId!.Value)
|
||||
.Returns(new OrganizationUser
|
||||
{
|
||||
Id = resource.OrganizationUserId!.Value,
|
||||
OrganizationId = Guid.NewGuid()
|
||||
});
|
||||
break;
|
||||
case GroupServiceAccountAccessPolicy resource:
|
||||
sutProvider.GetDependency<IGroupRepository>().GetByIdAsync(resource.GroupId!.Value)
|
||||
.Returns(new Group { Id = resource.GroupId!.Value, OrganizationId = Guid.NewGuid() });
|
||||
break;
|
||||
default:
|
||||
throw new ArgumentOutOfRangeException(nameof(accessPolicy), accessPolicy, null);
|
||||
}
|
||||
}
|
||||
|
||||
private static void SetupOrganizationMatch(SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
BaseAccessPolicy accessPolicy, Guid organizationId)
|
||||
{
|
||||
switch (accessPolicy)
|
||||
{
|
||||
case UserProjectAccessPolicy resource:
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||
.GetByIdAsync(resource.OrganizationUserId!.Value)
|
||||
.Returns(new OrganizationUser
|
||||
{
|
||||
Id = resource.OrganizationUserId!.Value,
|
||||
OrganizationId = organizationId
|
||||
});
|
||||
break;
|
||||
case GroupProjectAccessPolicy resource:
|
||||
sutProvider.GetDependency<IGroupRepository>().GetByIdAsync(resource.GroupId!.Value)
|
||||
.Returns(new Group { Id = resource.GroupId!.Value, OrganizationId = organizationId });
|
||||
break;
|
||||
case UserServiceAccountAccessPolicy resource:
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||
.GetByIdAsync(resource.OrganizationUserId!.Value)
|
||||
.Returns(new OrganizationUser
|
||||
{
|
||||
Id = resource.OrganizationUserId!.Value,
|
||||
OrganizationId = organizationId
|
||||
});
|
||||
break;
|
||||
case GroupServiceAccountAccessPolicy resource:
|
||||
sutProvider.GetDependency<IGroupRepository>().GetByIdAsync(resource.GroupId!.Value)
|
||||
.Returns(new Group { Id = resource.GroupId!.Value, OrganizationId = organizationId });
|
||||
break;
|
||||
default:
|
||||
throw new ArgumentOutOfRangeException(nameof(accessPolicy), accessPolicy, null);
|
||||
}
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void AccessPolicyOperations_OnlyPublicStatic()
|
||||
{
|
||||
var publicStaticFields = typeof(AccessPolicyOperations).GetFields(BindingFlags.Public | BindingFlags.Static);
|
||||
var allFields = typeof(AccessPolicyOperations).GetFields();
|
||||
Assert.Equal(publicStaticFields.Length, allFields.Length);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Handler_UnsupportedAccessPolicyOperationRequirement_Throws(
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider, UserProjectAccessPolicy resource,
|
||||
ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
var requirement = new AccessPolicyOperationRequirement();
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await Assert.ThrowsAsync<ArgumentException>(() => sutProvider.Sut.HandleAsync(authzContext));
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy)]
|
||||
public async Task CanCreate_OrgMismatch_DoesNotSucceed(
|
||||
AccessPolicyType accessPolicyType,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
Project mockGrantedProject,
|
||||
ServiceAccount mockGrantedServiceAccount,
|
||||
ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Create;
|
||||
var resource = CreatePolicy(accessPolicyType, mockGrantedProject, mockGrantedServiceAccount);
|
||||
SetupOrganizationMismatch(sutProvider, resource);
|
||||
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.False(authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy)]
|
||||
public async Task CanCreate_AccessToSecretsManagerFalse_DoesNotSucceed(
|
||||
AccessPolicyType accessPolicyType,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
Guid organizationId,
|
||||
Project mockGrantedProject,
|
||||
ServiceAccount mockGrantedServiceAccount,
|
||||
ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Create;
|
||||
mockGrantedProject.OrganizationId = organizationId;
|
||||
mockGrantedServiceAccount.OrganizationId = organizationId;
|
||||
var resource = CreatePolicy(accessPolicyType, mockGrantedProject, mockGrantedServiceAccount);
|
||||
SetupOrganizationMatch(sutProvider, resource, organizationId);
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(organizationId)
|
||||
.Returns(false);
|
||||
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.False(authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.UserProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.GroupProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.UserServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.GroupServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.UserProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.GroupProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.UserServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.GroupServiceAccountAccessPolicy)]
|
||||
public async Task CanCreate_UnsupportedClientTypes_DoesNotSucceed(
|
||||
AccessClientType clientType,
|
||||
AccessPolicyType accessPolicyType,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
Guid organizationId,
|
||||
Project mockGrantedProject,
|
||||
ServiceAccount mockGrantedServiceAccount,
|
||||
ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Create;
|
||||
mockGrantedProject.OrganizationId = organizationId;
|
||||
mockGrantedServiceAccount.OrganizationId = organizationId;
|
||||
var resource = CreatePolicy(accessPolicyType, mockGrantedProject, mockGrantedServiceAccount);
|
||||
SetupOrganizationMatch(sutProvider, resource, organizationId);
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(organizationId)
|
||||
.Returns(true);
|
||||
sutProvider.GetDependency<IAccessClientQuery>().GetAccessClientAsync(default, organizationId).ReturnsForAnyArgs(
|
||||
(clientType, Guid.NewGuid()));
|
||||
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.False(authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
public async Task CanCreate_AccessCheck(
|
||||
AccessPolicyType accessPolicyType,
|
||||
PermissionType permissionType,
|
||||
bool read, bool write, bool expected,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
Guid organizationId,
|
||||
Guid userId,
|
||||
Guid serviceAccountId,
|
||||
Project mockGrantedProject,
|
||||
ServiceAccount mockGrantedServiceAccount,
|
||||
ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Create;
|
||||
mockGrantedProject.OrganizationId = organizationId;
|
||||
mockGrantedServiceAccount.OrganizationId = organizationId;
|
||||
var resource = CreatePolicy(accessPolicyType, mockGrantedProject, mockGrantedServiceAccount, serviceAccountId);
|
||||
SetupCurrentUserPermission(sutProvider, permissionType, organizationId, userId);
|
||||
SetupOrganizationMatch(sutProvider, resource, organizationId);
|
||||
SetupMockAccess(sutProvider, userId, resource, read, write);
|
||||
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.Equal(expected, authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(false, false)]
|
||||
[BitAutoData(false, true)]
|
||||
[BitAutoData(true, false)]
|
||||
public async Task CanCreate_ServiceAccountProjectAccessPolicy_TargetsDontExist_DoesNotSucceed(bool projectExists,
|
||||
bool serviceAccountExists,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider, ServiceAccountProjectAccessPolicy resource,
|
||||
Project mockProject, ServiceAccount mockServiceAccount,
|
||||
ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Create;
|
||||
resource.GrantedProject = null;
|
||||
resource.ServiceAccount = null;
|
||||
|
||||
if (projectExists)
|
||||
{
|
||||
resource.GrantedProject = null;
|
||||
mockProject.Id = resource.GrantedProjectId!.Value;
|
||||
sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(resource.GrantedProjectId!.Value)
|
||||
.Returns(mockProject);
|
||||
}
|
||||
|
||||
if (serviceAccountExists)
|
||||
{
|
||||
resource.ServiceAccount = null;
|
||||
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(resource.ServiceAccountId!.Value)
|
||||
.Returns(mockServiceAccount);
|
||||
}
|
||||
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.False(authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(false, false)]
|
||||
[BitAutoData(false, true)]
|
||||
[BitAutoData(true, false)]
|
||||
[BitAutoData(true, true)]
|
||||
public async Task CanCreate_ServiceAccountProjectAccessPolicy_OrgMismatch_DoesNotSucceed(bool fetchProject,
|
||||
bool fetchSa,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider, ServiceAccountProjectAccessPolicy resource,
|
||||
Project mockProject, ServiceAccount mockServiceAccount,
|
||||
ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Create;
|
||||
|
||||
if (fetchProject)
|
||||
{
|
||||
resource.GrantedProject = null;
|
||||
mockProject.Id = resource.GrantedProjectId!.Value;
|
||||
sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(resource.GrantedProjectId!.Value)
|
||||
.Returns(mockProject);
|
||||
}
|
||||
|
||||
if (fetchSa)
|
||||
{
|
||||
resource.ServiceAccount = null;
|
||||
mockServiceAccount.Id = resource.ServiceAccountId!.Value;
|
||||
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(resource.ServiceAccountId!.Value)
|
||||
.Returns(mockServiceAccount);
|
||||
}
|
||||
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.False(authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task CanCreate_ServiceAccountProjectAccessPolicy_AccessToSecretsManagerFalse_DoesNotSucceed(
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider, ServiceAccountProjectAccessPolicy resource,
|
||||
ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Create;
|
||||
resource.ServiceAccount!.OrganizationId = resource.GrantedProject!.OrganizationId;
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(resource.GrantedProject!.OrganizationId)
|
||||
.Returns(false);
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.False(authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessClientType.ServiceAccount)]
|
||||
[BitAutoData(AccessClientType.Organization)]
|
||||
public async Task CanCreate_ServiceAccountProjectAccessPolicy_UnsupportedClientTypes_DoesNotSucceed(
|
||||
AccessClientType clientType,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider, ServiceAccountProjectAccessPolicy resource,
|
||||
ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Create;
|
||||
resource.ServiceAccount!.OrganizationId = resource.GrantedProject!.OrganizationId;
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(resource.GrantedProject!.OrganizationId)
|
||||
.Returns(true);
|
||||
sutProvider.GetDependency<IAccessClientQuery>().GetAccessClientAsync(default, resource.ServiceAccount!.OrganizationId).ReturnsForAnyArgs(
|
||||
(clientType, new Guid()));
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.False(authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(PermissionType.RunAsAdmin, true, true, true, true, true)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, false, false, false, false, false)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, false, false, false, true, false)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, false, false, true, false, false)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, false, false, true, true, false)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, false, true, false, false, false)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, false, true, false, true, true)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, false, true, true, false, false)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, false, true, true, true, true)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, true, false, false, false, false)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, true, false, false, true, false)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, true, false, true, false, false)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, true, false, true, true, false)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, true, true, false, false, false)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, true, true, false, true, true)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, true, true, true, false, false)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission, true, true, true, true, true)]
|
||||
public async Task CanCreate_ServiceAccountProjectAccessPolicy_AccessCheck(PermissionType permissionType,
|
||||
bool projectRead,
|
||||
bool projectWrite, bool saRead, bool saWrite, bool expected,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider, ServiceAccountProjectAccessPolicy resource,
|
||||
ClaimsPrincipal claimsPrincipal, Guid userId)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Create;
|
||||
resource.ServiceAccount!.OrganizationId = resource.GrantedProject!.OrganizationId;
|
||||
SetupCurrentUserPermission(sutProvider, permissionType, resource.GrantedProject!.OrganizationId, userId);
|
||||
sutProvider.GetDependency<IProjectRepository>()
|
||||
.AccessToProjectAsync(resource.GrantedProjectId!.Value, userId, Arg.Any<AccessClientType>())
|
||||
.Returns((projectRead, projectWrite));
|
||||
sutProvider.GetDependency<IServiceAccountRepository>()
|
||||
.AccessToServiceAccountAsync(resource.ServiceAccountId!.Value, userId, Arg.Any<AccessClientType>())
|
||||
.Returns((saRead, saWrite));
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.Equal(expected, authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy)]
|
||||
public async Task CanUpdate_AccessToSecretsManagerFalse_DoesNotSucceed(AccessPolicyType accessPolicyType,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
Guid organizationId,
|
||||
Project mockGrantedProject,
|
||||
ServiceAccount mockGrantedServiceAccount,
|
||||
ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Update;
|
||||
mockGrantedProject.OrganizationId = organizationId;
|
||||
mockGrantedServiceAccount.OrganizationId = organizationId;
|
||||
var resource = CreatePolicy(accessPolicyType, mockGrantedProject, mockGrantedServiceAccount);
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(organizationId).Returns(false);
|
||||
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.False(authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.UserProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.GroupProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.ServiceAccountProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.UserServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.GroupServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.UserProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.GroupProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.ServiceAccountProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.UserServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.GroupServiceAccountAccessPolicy)]
|
||||
public async Task CanUpdate_UnsupportedClientTypes_DoesNotSucceed(
|
||||
AccessClientType clientType,
|
||||
AccessPolicyType accessPolicyType,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
Guid organizationId,
|
||||
Project mockGrantedProject,
|
||||
ServiceAccount mockGrantedServiceAccount,
|
||||
ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Update;
|
||||
mockGrantedProject.OrganizationId = organizationId;
|
||||
mockGrantedServiceAccount.OrganizationId = organizationId;
|
||||
var resource = CreatePolicy(accessPolicyType, mockGrantedProject, mockGrantedServiceAccount);
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(organizationId).Returns(true);
|
||||
sutProvider.GetDependency<IAccessClientQuery>().GetAccessClientAsync(default, organizationId).ReturnsForAnyArgs(
|
||||
(clientType, new Guid()));
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.False(authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
public async Task CanUpdate_AccessCheck(
|
||||
AccessPolicyType accessPolicyType,
|
||||
PermissionType permissionType, bool read,
|
||||
bool write, bool expected,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
Guid organizationId,
|
||||
Project mockGrantedProject,
|
||||
ServiceAccount mockGrantedServiceAccount,
|
||||
ClaimsPrincipal claimsPrincipal, Guid userId, Guid serviceAccountId)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Update;
|
||||
mockGrantedProject.OrganizationId = organizationId;
|
||||
mockGrantedServiceAccount.OrganizationId = organizationId;
|
||||
|
||||
var resource = CreatePolicy(accessPolicyType, mockGrantedProject, mockGrantedServiceAccount,
|
||||
serviceAccountId);
|
||||
SetupCurrentUserPermission(sutProvider, permissionType, organizationId, userId);
|
||||
SetupMockAccess(sutProvider, userId, resource, read, write);
|
||||
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.Equal(expected, authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy)]
|
||||
public async Task CanDelete_AccessToSecretsManagerFalse_DoesNotSucceed(AccessPolicyType accessPolicyType,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
Guid organizationId,
|
||||
Project mockGrantedProject,
|
||||
ServiceAccount mockGrantedServiceAccount,
|
||||
ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Delete;
|
||||
mockGrantedProject.OrganizationId = organizationId;
|
||||
mockGrantedServiceAccount.OrganizationId = organizationId;
|
||||
var resource = CreatePolicy(accessPolicyType, mockGrantedProject, mockGrantedServiceAccount);
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(organizationId).Returns(false);
|
||||
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.False(authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.UserProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.GroupProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.ServiceAccountProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.UserServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.ServiceAccount, AccessPolicyType.GroupServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.UserProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.GroupProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.ServiceAccountProjectAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.UserServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessClientType.Organization, AccessPolicyType.GroupServiceAccountAccessPolicy)]
|
||||
public async Task CanDelete_UnsupportedClientTypes_DoesNotSucceed(
|
||||
AccessClientType clientType,
|
||||
AccessPolicyType accessPolicyType,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
Guid organizationId,
|
||||
Project mockGrantedProject,
|
||||
ServiceAccount mockGrantedServiceAccount,
|
||||
ClaimsPrincipal claimsPrincipal)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Delete;
|
||||
mockGrantedProject.OrganizationId = organizationId;
|
||||
mockGrantedServiceAccount.OrganizationId = organizationId;
|
||||
var resource = CreatePolicy(accessPolicyType, mockGrantedProject, mockGrantedServiceAccount);
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(organizationId).Returns(true);
|
||||
sutProvider.GetDependency<IAccessClientQuery>().GetAccessClientAsync(default, organizationId).ReturnsForAnyArgs(
|
||||
(clientType, new Guid()));
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.False(authzContext.HasSucceeded);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsAdmin, true, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||
public async Task CanDelete_AccessCheck(
|
||||
AccessPolicyType accessPolicyType,
|
||||
PermissionType permissionType,
|
||||
bool read, bool write, bool expected,
|
||||
SutProvider<AccessPolicyAuthorizationHandler> sutProvider,
|
||||
Guid organizationId,
|
||||
Project mockGrantedProject,
|
||||
ServiceAccount mockGrantedServiceAccount,
|
||||
ClaimsPrincipal claimsPrincipal, Guid userId, Guid serviceAccountId)
|
||||
{
|
||||
var requirement = AccessPolicyOperations.Delete;
|
||||
mockGrantedProject.OrganizationId = organizationId;
|
||||
mockGrantedServiceAccount.OrganizationId = organizationId;
|
||||
|
||||
var resource = CreatePolicy(accessPolicyType, mockGrantedProject, mockGrantedServiceAccount,
|
||||
serviceAccountId);
|
||||
SetupCurrentUserPermission(sutProvider, permissionType, organizationId, userId);
|
||||
SetupMockAccess(sutProvider, userId, resource, read, write);
|
||||
|
||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||
claimsPrincipal, resource);
|
||||
|
||||
await sutProvider.Sut.HandleAsync(authzContext);
|
||||
|
||||
Assert.Equal(expected, authzContext.HasSucceeded);
|
||||
}
|
||||
}
|
@ -1,6 +1,4 @@
|
||||
using Bit.Commercial.Core.SecretsManager.Commands.AccessPolicies;
|
||||
using Bit.Commercial.Core.Test.SecretsManager.Enums;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.SecretsManager.Entities;
|
||||
using Bit.Core.SecretsManager.Repositories;
|
||||
@ -25,14 +23,20 @@ public class CreateAccessPoliciesCommandTests
|
||||
foreach (var ap in userProjectAccessPolicies)
|
||||
{
|
||||
ap.GrantedProjectId = grantedProjectId;
|
||||
ap.GrantedProject = null;
|
||||
ap.User = null;
|
||||
}
|
||||
foreach (var ap in groupProjectAccessPolicies)
|
||||
{
|
||||
ap.GrantedProjectId = grantedProjectId;
|
||||
ap.GrantedProject = null;
|
||||
ap.Group = null;
|
||||
}
|
||||
foreach (var ap in serviceAccountProjectAccessPolicies)
|
||||
{
|
||||
ap.GrantedProjectId = grantedProjectId;
|
||||
ap.GrantedProject = null;
|
||||
ap.ServiceAccount = null;
|
||||
}
|
||||
data.AddRange(userProjectAccessPolicies);
|
||||
data.AddRange(groupProjectAccessPolicies);
|
||||
@ -47,114 +51,23 @@ public class CreateAccessPoliciesCommandTests
|
||||
foreach (var ap in userServiceAccountAccessPolicies)
|
||||
{
|
||||
ap.GrantedServiceAccountId = grantedServiceAccountId;
|
||||
ap.GrantedServiceAccount = null;
|
||||
ap.User = null;
|
||||
}
|
||||
foreach (var ap in groupServiceAccountAccessPolicies)
|
||||
{
|
||||
ap.GrantedServiceAccountId = grantedServiceAccountId;
|
||||
ap.GrantedServiceAccount = null;
|
||||
ap.Group = null;
|
||||
}
|
||||
data.AddRange(userServiceAccountAccessPolicies);
|
||||
data.AddRange(groupServiceAccountAccessPolicies);
|
||||
return data;
|
||||
}
|
||||
|
||||
private static List<BaseAccessPolicy> MakeDuplicate(List<BaseAccessPolicy> data, AccessPolicyType accessPolicyType)
|
||||
{
|
||||
switch (accessPolicyType)
|
||||
{
|
||||
case AccessPolicyType.UserProjectAccessPolicy:
|
||||
{
|
||||
var mockAccessPolicy = new UserProjectAccessPolicy
|
||||
{
|
||||
OrganizationUserId = Guid.NewGuid(),
|
||||
GrantedProjectId = Guid.NewGuid(),
|
||||
};
|
||||
data.Add(mockAccessPolicy);
|
||||
|
||||
// Add a duplicate policy
|
||||
data.Add(mockAccessPolicy);
|
||||
break;
|
||||
}
|
||||
case AccessPolicyType.GroupProjectAccessPolicy:
|
||||
{
|
||||
var mockAccessPolicy = new GroupProjectAccessPolicy
|
||||
{
|
||||
GroupId = Guid.NewGuid(),
|
||||
GrantedProjectId = Guid.NewGuid(),
|
||||
};
|
||||
data.Add(mockAccessPolicy);
|
||||
|
||||
// Add a duplicate policy
|
||||
data.Add(mockAccessPolicy);
|
||||
break;
|
||||
}
|
||||
case AccessPolicyType.ServiceAccountProjectAccessPolicy:
|
||||
{
|
||||
var mockAccessPolicy = new ServiceAccountProjectAccessPolicy
|
||||
{
|
||||
ServiceAccountId = Guid.NewGuid(),
|
||||
GrantedProjectId = Guid.NewGuid(),
|
||||
};
|
||||
data.Add(mockAccessPolicy);
|
||||
|
||||
// Add a duplicate policy
|
||||
data.Add(mockAccessPolicy);
|
||||
break;
|
||||
}
|
||||
case AccessPolicyType.UserServiceAccountAccessPolicy:
|
||||
{
|
||||
var mockAccessPolicy = new UserServiceAccountAccessPolicy
|
||||
{
|
||||
OrganizationUserId = Guid.NewGuid(),
|
||||
GrantedServiceAccountId = Guid.NewGuid(),
|
||||
};
|
||||
data.Add(mockAccessPolicy);
|
||||
|
||||
// Add a duplicate policy
|
||||
data.Add(mockAccessPolicy);
|
||||
break;
|
||||
}
|
||||
case AccessPolicyType.GroupServiceAccountAccessPolicy:
|
||||
{
|
||||
var mockAccessPolicy = new GroupServiceAccountAccessPolicy
|
||||
{
|
||||
GroupId = Guid.NewGuid(),
|
||||
GrantedServiceAccountId = Guid.NewGuid(),
|
||||
};
|
||||
data.Add(mockAccessPolicy);
|
||||
|
||||
// Add a duplicate policy
|
||||
data.Add(mockAccessPolicy);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
return data;
|
||||
}
|
||||
|
||||
private static void SetupPermission(SutProvider<CreateAccessPoliciesCommand> sutProvider,
|
||||
PermissionType permissionType, Project project, Guid userId)
|
||||
{
|
||||
if (permissionType == PermissionType.RunAsUserWithPermission)
|
||||
{
|
||||
sutProvider.GetDependency<IProjectRepository>().AccessToProjectAsync(project.Id, userId, AccessClientType.User)
|
||||
.Returns((true, true));
|
||||
}
|
||||
}
|
||||
|
||||
private static void SetupPermission(SutProvider<CreateAccessPoliciesCommand> sutProvider,
|
||||
PermissionType permissionType, ServiceAccount serviceAccount, Guid userId)
|
||||
{
|
||||
if (permissionType == PermissionType.RunAsUserWithPermission)
|
||||
{
|
||||
sutProvider.GetDependency<IServiceAccountRepository>()
|
||||
.UserHasWriteAccessToServiceAccount(serviceAccount.Id, userId).Returns(true);
|
||||
}
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task CreateMany_AlreadyExists_Throws_BadRequestException(
|
||||
Guid userId,
|
||||
Project project,
|
||||
ServiceAccount serviceAccount,
|
||||
List<UserProjectAccessPolicy> userProjectAccessPolicies,
|
||||
@ -173,83 +86,34 @@ public class CreateAccessPoliciesCommandTests
|
||||
.Returns(true);
|
||||
|
||||
await Assert.ThrowsAsync<BadRequestException>(() =>
|
||||
sutProvider.Sut.CreateManyAsync(data, userId, AccessClientType.NoAccessCheck));
|
||||
sutProvider.Sut.CreateManyAsync(data));
|
||||
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().CreateManyAsync(default!);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy)]
|
||||
public async Task CreateMany_NotUnique_ThrowsException(
|
||||
AccessPolicyType accessPolicyType,
|
||||
Guid userId,
|
||||
Project project,
|
||||
ServiceAccount serviceAccount,
|
||||
List<UserProjectAccessPolicy> userProjectAccessPolicies,
|
||||
List<GroupProjectAccessPolicy> groupProjectAccessPolicies,
|
||||
List<ServiceAccountProjectAccessPolicy> serviceAccountProjectAccessPolicies,
|
||||
List<UserServiceAccountAccessPolicy> userServiceAccountAccessPolicies,
|
||||
List<GroupServiceAccountAccessPolicy> groupServiceAccountAccessPolicies,
|
||||
SutProvider<CreateAccessPoliciesCommand> sutProvider
|
||||
)
|
||||
[BitAutoData]
|
||||
public async Task CreateMany_ClearsReferences(SutProvider<CreateAccessPoliciesCommand> sutProvider, Guid projectId)
|
||||
{
|
||||
var data = MakeGrantedProjectAccessPolicies(project.Id, userProjectAccessPolicies, groupProjectAccessPolicies,
|
||||
serviceAccountProjectAccessPolicies);
|
||||
var saData = MakeGrantedServiceAccountAccessPolicies(serviceAccount.Id, userServiceAccountAccessPolicies, groupServiceAccountAccessPolicies);
|
||||
data = data.Concat(saData).ToList();
|
||||
data = MakeDuplicate(data, accessPolicyType);
|
||||
|
||||
await Assert.ThrowsAsync<BadRequestException>(() =>
|
||||
sutProvider.Sut.CreateManyAsync(data, userId, AccessClientType.NoAccessCheck));
|
||||
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs()
|
||||
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>());
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(PermissionType.RunAsAdmin)]
|
||||
[BitAutoData(PermissionType.RunAsUserWithPermission)]
|
||||
public async Task CreateMany_Success(
|
||||
PermissionType permissionType,
|
||||
Guid userId,
|
||||
Project project,
|
||||
ServiceAccount serviceAccount,
|
||||
List<UserProjectAccessPolicy> userProjectAccessPolicies,
|
||||
List<GroupProjectAccessPolicy> groupProjectAccessPolicies,
|
||||
List<ServiceAccountProjectAccessPolicy> serviceAccountProjectAccessPolicies,
|
||||
List<UserServiceAccountAccessPolicy> userServiceAccountAccessPolicies,
|
||||
List<GroupServiceAccountAccessPolicy> groupServiceAccountAccessPolicies,
|
||||
SutProvider<CreateAccessPoliciesCommand> sutProvider)
|
||||
{
|
||||
var data = MakeGrantedProjectAccessPolicies(project.Id, userProjectAccessPolicies, groupProjectAccessPolicies,
|
||||
serviceAccountProjectAccessPolicies);
|
||||
var saData = MakeGrantedServiceAccountAccessPolicies(serviceAccount.Id, userServiceAccountAccessPolicies, groupServiceAccountAccessPolicies);
|
||||
data = data.Concat(saData).ToList();
|
||||
|
||||
SetupPermission(sutProvider, permissionType, serviceAccount, userId);
|
||||
SetupPermission(sutProvider, permissionType, project, userId);
|
||||
|
||||
if (permissionType == PermissionType.RunAsAdmin)
|
||||
var userProjectAp = new UserProjectAccessPolicy
|
||||
{
|
||||
await sutProvider.Sut.CreateManyAsync(data, userId, AccessClientType.NoAccessCheck);
|
||||
}
|
||||
else if (permissionType == PermissionType.RunAsUserWithPermission)
|
||||
{
|
||||
await sutProvider.Sut.CreateManyAsync(data, userId, AccessClientType.User);
|
||||
}
|
||||
GrantedProjectId = projectId,
|
||||
OrganizationUserId = new Guid(),
|
||||
};
|
||||
var data = new List<BaseAccessPolicy>() { userProjectAp, };
|
||||
|
||||
userProjectAp.GrantedProject = new Project() { Id = new Guid() };
|
||||
var expectedCall = new List<BaseAccessPolicy>() { userProjectAp, };
|
||||
|
||||
await sutProvider.Sut.CreateManyAsync(data);
|
||||
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1)
|
||||
.CreateManyAsync(Arg.Is(AssertHelper.AssertPropertyEqual(data)));
|
||||
.CreateManyAsync(Arg.Is(AssertHelper.AssertPropertyEqual(expectedCall)));
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task CreateMany_UserWithoutPermission_Throws(
|
||||
Guid userId,
|
||||
public async Task CreateMany_Success(
|
||||
Project project,
|
||||
ServiceAccount serviceAccount,
|
||||
List<UserProjectAccessPolicy> userProjectAccessPolicies,
|
||||
@ -264,10 +128,9 @@ public class CreateAccessPoliciesCommandTests
|
||||
var saData = MakeGrantedServiceAccountAccessPolicies(serviceAccount.Id, userServiceAccountAccessPolicies, groupServiceAccountAccessPolicies);
|
||||
data = data.Concat(saData).ToList();
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(() =>
|
||||
sutProvider.Sut.CreateManyAsync(data, userId, AccessClientType.User));
|
||||
await sutProvider.Sut.CreateManyAsync(data);
|
||||
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs()
|
||||
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>());
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1)
|
||||
.CreateManyAsync(Arg.Is(AssertHelper.AssertPropertyEqual(data)));
|
||||
}
|
||||
}
|
||||
|
@ -1,16 +1,10 @@
|
||||
using Bit.Commercial.Core.SecretsManager.Commands.AccessPolicies;
|
||||
using Bit.Commercial.Core.Test.SecretsManager.Enums;
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.SecretsManager.Entities;
|
||||
using Bit.Core.SecretsManager.Repositories;
|
||||
using Bit.Core.Test.SecretsManager.AutoFixture.ProjectsFixture;
|
||||
using Bit.Test.Common.AutoFixture;
|
||||
using Bit.Test.Common.AutoFixture.Attributes;
|
||||
using Bit.Test.Common.Helpers;
|
||||
using NSubstitute;
|
||||
using NSubstitute.ReturnsExtensions;
|
||||
using Xunit;
|
||||
|
||||
namespace Bit.Commercial.Core.Test.SecretsManager.Commands.AccessPolicies;
|
||||
@ -19,213 +13,13 @@ namespace Bit.Commercial.Core.Test.SecretsManager.Commands.AccessPolicies;
|
||||
[ProjectCustomize]
|
||||
public class DeleteAccessPolicyCommandTests
|
||||
{
|
||||
private static void SetupPermission(SutProvider<DeleteAccessPolicyCommand> sutProvider,
|
||||
PermissionType permissionType, Project grantedProject, Guid userId)
|
||||
{
|
||||
switch (permissionType)
|
||||
{
|
||||
case PermissionType.RunAsAdmin:
|
||||
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(grantedProject.OrganizationId)
|
||||
.Returns(true);
|
||||
break;
|
||||
case PermissionType.RunAsUserWithPermission:
|
||||
sutProvider.GetDependency<IProjectRepository>().AccessToProjectAsync(grantedProject.Id, userId, AccessClientType.User)
|
||||
.Returns((true, true));
|
||||
break;
|
||||
default:
|
||||
throw new ArgumentOutOfRangeException(nameof(permissionType), permissionType, null);
|
||||
}
|
||||
}
|
||||
|
||||
private static void SetupPermission(SutProvider<DeleteAccessPolicyCommand> sutProvider,
|
||||
PermissionType permissionType, ServiceAccount grantedServiceAccount, Guid userId)
|
||||
{
|
||||
switch (permissionType)
|
||||
{
|
||||
case PermissionType.RunAsAdmin:
|
||||
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(grantedServiceAccount.OrganizationId)
|
||||
.Returns(true);
|
||||
break;
|
||||
case PermissionType.RunAsUserWithPermission:
|
||||
sutProvider.GetDependency<IServiceAccountRepository>()
|
||||
.UserHasWriteAccessToServiceAccount(grantedServiceAccount.Id, userId)
|
||||
.Returns(true);
|
||||
break;
|
||||
default:
|
||||
throw new ArgumentOutOfRangeException(nameof(permissionType), permissionType, null);
|
||||
}
|
||||
}
|
||||
|
||||
private static BaseAccessPolicy CreatePolicyToReturn(AccessPolicyType accessPolicyType, Guid data,
|
||||
Project grantedProject, Group mockGroup, ServiceAccount mockServiceAccount) =>
|
||||
accessPolicyType switch
|
||||
{
|
||||
AccessPolicyType.UserProjectAccessPolicy => new UserProjectAccessPolicy
|
||||
{
|
||||
Id = data,
|
||||
GrantedProjectId = grantedProject.Id,
|
||||
GrantedProject = grantedProject,
|
||||
},
|
||||
AccessPolicyType.GroupProjectAccessPolicy => new GroupProjectAccessPolicy
|
||||
{
|
||||
Id = data,
|
||||
GrantedProjectId = grantedProject.Id,
|
||||
Group = mockGroup,
|
||||
GrantedProject = grantedProject,
|
||||
},
|
||||
AccessPolicyType.ServiceAccountProjectAccessPolicy => new ServiceAccountProjectAccessPolicy
|
||||
{
|
||||
Id = data,
|
||||
GrantedProjectId = grantedProject.Id,
|
||||
ServiceAccount = mockServiceAccount,
|
||||
GrantedProject = grantedProject,
|
||||
},
|
||||
_ => null,
|
||||
};
|
||||
|
||||
private static BaseAccessPolicy CreatePolicyToReturn(AccessPolicyType accessPolicyType, Guid data,
|
||||
ServiceAccount grantedServiceAccount, Group mockGroup) =>
|
||||
accessPolicyType switch
|
||||
{
|
||||
AccessPolicyType.UserServiceAccountAccessPolicy => new UserServiceAccountAccessPolicy
|
||||
{
|
||||
Id = data,
|
||||
GrantedServiceAccountId = grantedServiceAccount.Id,
|
||||
GrantedServiceAccount = grantedServiceAccount,
|
||||
},
|
||||
AccessPolicyType.GroupServiceAccountAccessPolicy => new GroupServiceAccountAccessPolicy
|
||||
{
|
||||
Id = data,
|
||||
GrantedServiceAccountId = grantedServiceAccount.Id,
|
||||
Group = mockGroup,
|
||||
GrantedServiceAccount = grantedServiceAccount,
|
||||
},
|
||||
_ => null,
|
||||
};
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task DeleteAccessPolicy_Throws_NotFoundException(Guid data, Guid userId,
|
||||
SutProvider<DeleteAccessPolicyCommand> sutProvider)
|
||||
public async Task DeleteAsync_Success(SutProvider<DeleteAccessPolicyCommand> sutProvider, Guid data)
|
||||
{
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(true);
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data).ReturnsNull();
|
||||
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.DeleteAsync(data, userId));
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().DeleteAsync(default);
|
||||
}
|
||||
await sutProvider.Sut.DeleteAsync(data);
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task DeleteAccessPolicy_SmNotEnabled_Throws_NotFoundException(Guid data, Guid userId,
|
||||
SutProvider<DeleteAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(false);
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data).ReturnsNull();
|
||||
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.DeleteAsync(data, userId));
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().DeleteAsync(default);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsAdmin)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsAdmin)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsAdmin)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsUserWithPermission)]
|
||||
public async Task DeleteAccessPolicy_ProjectGrants_PermissionsCheck_Success(
|
||||
AccessPolicyType accessPolicyType,
|
||||
PermissionType permissionType,
|
||||
Guid data,
|
||||
Guid userId,
|
||||
Project grantedProject,
|
||||
Group mockGroup,
|
||||
ServiceAccount mockServiceAccount,
|
||||
SutProvider<DeleteAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(true);
|
||||
var policyToReturn =
|
||||
CreatePolicyToReturn(accessPolicyType, data, grantedProject, mockGroup, mockServiceAccount);
|
||||
SetupPermission(sutProvider, permissionType, grantedProject, userId);
|
||||
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data)
|
||||
.Returns(policyToReturn);
|
||||
|
||||
await sutProvider.Sut.DeleteAsync(data, userId);
|
||||
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1).DeleteAsync(Arg.Is(data));
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy)]
|
||||
public async Task DeleteAccessPolicy_UserProjectAccessPolicy_PermissionsCheck_ThrowsNotAuthorized(
|
||||
AccessPolicyType accessPolicyType,
|
||||
Guid data,
|
||||
Guid userId,
|
||||
Group mockGroup,
|
||||
ServiceAccount mockServiceAccount,
|
||||
Project grantedProject,
|
||||
SutProvider<DeleteAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(true);
|
||||
var policyToReturn =
|
||||
CreatePolicyToReturn(accessPolicyType, data, grantedProject, mockGroup, mockServiceAccount);
|
||||
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data)
|
||||
.Returns(policyToReturn);
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(() =>
|
||||
sutProvider.Sut.DeleteAsync(data, userId));
|
||||
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().DeleteAsync(default);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsAdmin)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsAdmin)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission)]
|
||||
public async Task DeleteAccessPolicy_ServiceAccountGrants_PermissionsCheck_Success(
|
||||
AccessPolicyType accessPolicyType,
|
||||
PermissionType permissionType,
|
||||
Guid data,
|
||||
Guid userId,
|
||||
ServiceAccount grantedServiceAccount,
|
||||
Group mockGroup,
|
||||
SutProvider<DeleteAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(true);
|
||||
var policyToReturn = CreatePolicyToReturn(accessPolicyType, data, grantedServiceAccount, mockGroup);
|
||||
SetupPermission(sutProvider, permissionType, grantedServiceAccount, userId);
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data)
|
||||
.Returns(policyToReturn);
|
||||
|
||||
await sutProvider.Sut.DeleteAsync(data, userId);
|
||||
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1).DeleteAsync(Arg.Is(data));
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy)]
|
||||
public async Task DeleteAccessPolicy_ServiceAccountGrants_PermissionsCheck_Throws(
|
||||
AccessPolicyType accessPolicyType,
|
||||
Guid data,
|
||||
Guid userId,
|
||||
ServiceAccount grantedServiceAccount,
|
||||
Group mockGroup,
|
||||
SutProvider<DeleteAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(true);
|
||||
var policyToReturn = CreatePolicyToReturn(accessPolicyType, data, grantedServiceAccount, mockGroup);
|
||||
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data)
|
||||
.Returns(policyToReturn);
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(() =>
|
||||
sutProvider.Sut.DeleteAsync(data, userId));
|
||||
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().DeleteAsync(default);
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1)
|
||||
.DeleteAsync(Arg.Is(AssertHelper.AssertPropertyEqual(data)));
|
||||
}
|
||||
}
|
||||
|
@ -1,8 +1,4 @@
|
||||
using Bit.Commercial.Core.SecretsManager.Commands.AccessPolicies;
|
||||
using Bit.Commercial.Core.Test.SecretsManager.Enums;
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.SecretsManager.Entities;
|
||||
using Bit.Core.SecretsManager.Repositories;
|
||||
@ -19,243 +15,30 @@ namespace Bit.Commercial.Core.Test.SecretsManager.Commands.AccessPolicies;
|
||||
[ProjectCustomize]
|
||||
public class UpdateAccessPolicyCommandTests
|
||||
{
|
||||
private static void SetupPermission(SutProvider<UpdateAccessPolicyCommand> sutProvider,
|
||||
PermissionType permissionType, Project grantedProject, Guid userId)
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task UpdateAsync_DoesNotExist_ThrowsNotFound(Guid data, bool read, bool write,
|
||||
SutProvider<UpdateAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
switch (permissionType)
|
||||
{
|
||||
case PermissionType.RunAsAdmin:
|
||||
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(grantedProject.OrganizationId)
|
||||
.Returns(true);
|
||||
break;
|
||||
case PermissionType.RunAsUserWithPermission:
|
||||
sutProvider.GetDependency<IProjectRepository>().AccessToProjectAsync(grantedProject.Id, userId, AccessClientType.User)
|
||||
.Returns((true, true));
|
||||
break;
|
||||
default:
|
||||
throw new ArgumentOutOfRangeException(nameof(permissionType), permissionType, null);
|
||||
}
|
||||
}
|
||||
|
||||
private static void SetupPermission(SutProvider<UpdateAccessPolicyCommand> sutProvider,
|
||||
PermissionType permissionType, ServiceAccount grantedServiceAccount, Guid userId)
|
||||
{
|
||||
switch (permissionType)
|
||||
{
|
||||
case PermissionType.RunAsAdmin:
|
||||
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(grantedServiceAccount.OrganizationId)
|
||||
.Returns(true);
|
||||
break;
|
||||
case PermissionType.RunAsUserWithPermission:
|
||||
sutProvider.GetDependency<IServiceAccountRepository>()
|
||||
.UserHasWriteAccessToServiceAccount(grantedServiceAccount.Id, userId)
|
||||
.Returns(true);
|
||||
break;
|
||||
default:
|
||||
throw new ArgumentOutOfRangeException(nameof(permissionType), permissionType, null);
|
||||
}
|
||||
}
|
||||
|
||||
private static BaseAccessPolicy CreatePolicyToReturn(AccessPolicyType accessPolicyType,
|
||||
ServiceAccount grantedServiceAccount, Guid data, Group mockGroup)
|
||||
{
|
||||
switch (accessPolicyType)
|
||||
{
|
||||
case AccessPolicyType.UserServiceAccountAccessPolicy:
|
||||
return
|
||||
new UserServiceAccountAccessPolicy
|
||||
{
|
||||
Id = data,
|
||||
Read = true,
|
||||
Write = true,
|
||||
GrantedServiceAccountId = grantedServiceAccount.Id,
|
||||
GrantedServiceAccount = grantedServiceAccount,
|
||||
};
|
||||
case AccessPolicyType.GroupServiceAccountAccessPolicy:
|
||||
mockGroup.OrganizationId = grantedServiceAccount.OrganizationId;
|
||||
return new GroupServiceAccountAccessPolicy
|
||||
{
|
||||
Id = data,
|
||||
GrantedServiceAccountId = grantedServiceAccount.Id,
|
||||
GrantedServiceAccount = grantedServiceAccount,
|
||||
Read = true,
|
||||
Write = true,
|
||||
Group = mockGroup,
|
||||
};
|
||||
default:
|
||||
throw new ArgumentOutOfRangeException(nameof(accessPolicyType), accessPolicyType, null);
|
||||
}
|
||||
}
|
||||
|
||||
private static BaseAccessPolicy CreatePolicyToReturn(AccessPolicyType accessPolicyType, Guid data,
|
||||
Project grantedProject, Group mockGroup, ServiceAccount mockServiceAccount)
|
||||
{
|
||||
switch (accessPolicyType)
|
||||
{
|
||||
case AccessPolicyType.UserProjectAccessPolicy:
|
||||
return
|
||||
new UserProjectAccessPolicy
|
||||
{
|
||||
Id = data,
|
||||
Read = true,
|
||||
Write = true,
|
||||
GrantedProjectId = grantedProject.Id,
|
||||
GrantedProject = grantedProject,
|
||||
};
|
||||
case AccessPolicyType.GroupProjectAccessPolicy:
|
||||
mockGroup.OrganizationId = grantedProject.OrganizationId;
|
||||
return
|
||||
new GroupProjectAccessPolicy
|
||||
{
|
||||
Id = data,
|
||||
GrantedProjectId = grantedProject.Id,
|
||||
Read = true,
|
||||
Write = true,
|
||||
Group = mockGroup,
|
||||
GrantedProject = grantedProject,
|
||||
};
|
||||
case AccessPolicyType.ServiceAccountProjectAccessPolicy:
|
||||
mockServiceAccount.OrganizationId = grantedProject.OrganizationId;
|
||||
return new ServiceAccountProjectAccessPolicy
|
||||
{
|
||||
Id = data,
|
||||
GrantedProjectId = grantedProject.Id,
|
||||
Read = true,
|
||||
Write = true,
|
||||
ServiceAccount = mockServiceAccount,
|
||||
GrantedProject = grantedProject,
|
||||
};
|
||||
default:
|
||||
throw new ArgumentOutOfRangeException(nameof(accessPolicyType), accessPolicyType, null);
|
||||
}
|
||||
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.UpdateAsync(data, read, write));
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().ReplaceAsync(Arg.Any<BaseAccessPolicy>());
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task UpdateAsync_Throws_NotFoundException(Guid data, bool read, bool write, Guid userId,
|
||||
public async Task UpdateAsync_Success(Guid data, bool read, bool write, UserProjectAccessPolicy accessPolicy,
|
||||
SutProvider<UpdateAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(true);
|
||||
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.UpdateAsync(data, read, write, userId));
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().ReplaceAsync(default);
|
||||
}
|
||||
accessPolicy.Id = data;
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data).Returns(accessPolicy);
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task UpdateAsync_SmNotEnabled_Throws_NotFoundException(Guid data, bool read, bool write, Guid userId,
|
||||
SutProvider<UpdateAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(false);
|
||||
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.UpdateAsync(data, read, write, userId));
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().ReplaceAsync(default);
|
||||
}
|
||||
var result = await sutProvider.Sut.UpdateAsync(data, read, write);
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsAdmin)]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy, PermissionType.RunAsUserWithPermission)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsAdmin)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy, PermissionType.RunAsUserWithPermission)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsAdmin)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy, PermissionType.RunAsUserWithPermission)]
|
||||
public async Task UpdateAsync_ProjectGrants_PermissionsCheck_Success(
|
||||
AccessPolicyType accessPolicyType,
|
||||
PermissionType permissionType,
|
||||
Guid data,
|
||||
bool read,
|
||||
bool write,
|
||||
Guid userId,
|
||||
Project grantedProject,
|
||||
Group mockGroup,
|
||||
ServiceAccount mockServiceAccount,
|
||||
SutProvider<UpdateAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(true);
|
||||
var policyToReturn =
|
||||
CreatePolicyToReturn(accessPolicyType, data, grantedProject, mockGroup, mockServiceAccount);
|
||||
SetupPermission(sutProvider, permissionType, grantedProject, userId);
|
||||
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data).Returns(policyToReturn);
|
||||
var result = await sutProvider.Sut.UpdateAsync(data, read, write, userId);
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1).ReplaceAsync(policyToReturn);
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1)
|
||||
.ReplaceAsync(Arg.Any<BaseAccessPolicy>());
|
||||
|
||||
AssertHelper.AssertRecent(result.RevisionDate);
|
||||
Assert.Equal(read, result.Read);
|
||||
Assert.Equal(write, result.Write);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupProjectAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.ServiceAccountProjectAccessPolicy)]
|
||||
public async Task UpdateAsync_ProjectGrants_PermissionsCheck_Throws(
|
||||
AccessPolicyType accessPolicyType,
|
||||
Guid data,
|
||||
bool read,
|
||||
bool write,
|
||||
Guid userId,
|
||||
Project grantedProject,
|
||||
Group mockGroup,
|
||||
ServiceAccount mockServiceAccount,
|
||||
SutProvider<UpdateAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(true);
|
||||
var policyToReturn =
|
||||
CreatePolicyToReturn(accessPolicyType, data, grantedProject, mockGroup, mockServiceAccount);
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data).Returns(policyToReturn);
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(() =>
|
||||
sutProvider.Sut.UpdateAsync(data, read, write, userId));
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().ReplaceAsync(default);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsAdmin)]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsAdmin)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy, PermissionType.RunAsUserWithPermission)]
|
||||
public async Task UpdateAsync_ServiceAccountGrants_PermissionsCheck_Success(
|
||||
AccessPolicyType accessPolicyType,
|
||||
PermissionType permissionType,
|
||||
Guid data,
|
||||
bool read,
|
||||
bool write,
|
||||
Guid userId,
|
||||
ServiceAccount grantedServiceAccount,
|
||||
Group mockGroup,
|
||||
SutProvider<UpdateAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(true);
|
||||
var policyToReturn = CreatePolicyToReturn(accessPolicyType, grantedServiceAccount, data, mockGroup);
|
||||
SetupPermission(sutProvider, permissionType, grantedServiceAccount, userId);
|
||||
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data).Returns(policyToReturn);
|
||||
var result = await sutProvider.Sut.UpdateAsync(data, read, write, userId);
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1).ReplaceAsync(policyToReturn);
|
||||
|
||||
AssertHelper.AssertRecent(result.RevisionDate);
|
||||
Assert.Equal(read, result.Read);
|
||||
Assert.Equal(write, result.Write);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(AccessPolicyType.UserServiceAccountAccessPolicy)]
|
||||
[BitAutoData(AccessPolicyType.GroupServiceAccountAccessPolicy)]
|
||||
public async Task UpdateAsync_ServiceAccountGrants_PermissionsCheck_Throws(
|
||||
AccessPolicyType accessPolicyType,
|
||||
Guid data,
|
||||
bool read,
|
||||
bool write,
|
||||
Guid userId,
|
||||
ServiceAccount grantedServiceAccount,
|
||||
Group mockGroup,
|
||||
SutProvider<UpdateAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(Arg.Any<Guid>()).Returns(true);
|
||||
var policyToReturn = CreatePolicyToReturn(accessPolicyType, grantedServiceAccount, data, mockGroup);
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data).Returns(policyToReturn);
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(() =>
|
||||
sutProvider.Sut.UpdateAsync(data, read, write, userId));
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().ReplaceAsync(default);
|
||||
}
|
||||
}
|
||||
|
@ -5,6 +5,7 @@ using Bit.Core.Context;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.SecretsManager.AuthorizationRequirements;
|
||||
using Bit.Core.SecretsManager.Commands.AccessPolicies.Interfaces;
|
||||
using Bit.Core.SecretsManager.Entities;
|
||||
using Bit.Core.SecretsManager.Repositories;
|
||||
@ -31,8 +32,10 @@ public class AccessPoliciesController : Controller
|
||||
private readonly IServiceAccountRepository _serviceAccountRepository;
|
||||
private readonly IUpdateAccessPolicyCommand _updateAccessPolicyCommand;
|
||||
private readonly IUserService _userService;
|
||||
private readonly IAuthorizationService _authorizationService;
|
||||
|
||||
public AccessPoliciesController(
|
||||
IAuthorizationService authorizationService,
|
||||
IUserService userService,
|
||||
ICurrentContext currentContext,
|
||||
IAccessPolicyRepository accessPolicyRepository,
|
||||
@ -44,6 +47,7 @@ public class AccessPoliciesController : Controller
|
||||
IDeleteAccessPolicyCommand deleteAccessPolicyCommand,
|
||||
IUpdateAccessPolicyCommand updateAccessPolicyCommand)
|
||||
{
|
||||
_authorizationService = authorizationService;
|
||||
_userService = userService;
|
||||
_currentContext = currentContext;
|
||||
_serviceAccountRepository = serviceAccountRepository;
|
||||
@ -71,9 +75,17 @@ public class AccessPoliciesController : Controller
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
var (accessClient, userId) = await GetAccessClientTypeAsync(project.OrganizationId);
|
||||
var policies = request.ToBaseAccessPoliciesForProject(id);
|
||||
var results = await _createAccessPoliciesCommand.CreateManyAsync(policies, userId, accessClient);
|
||||
var policies = request.ToBaseAccessPoliciesForProject(id, project.OrganizationId);
|
||||
foreach (var policy in policies)
|
||||
{
|
||||
var authorizationResult = await _authorizationService.AuthorizeAsync(User, policy, AccessPolicyOperations.Create);
|
||||
if (!authorizationResult.Succeeded)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
}
|
||||
|
||||
var results = await _createAccessPoliciesCommand.CreateManyAsync(policies);
|
||||
return new ProjectAccessPoliciesResponseModel(results);
|
||||
}
|
||||
|
||||
@ -102,9 +114,17 @@ public class AccessPoliciesController : Controller
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
var (accessClient, userId) = await GetAccessClientTypeAsync(serviceAccount.OrganizationId);
|
||||
var policies = request.ToBaseAccessPoliciesForServiceAccount(id);
|
||||
var results = await _createAccessPoliciesCommand.CreateManyAsync(policies, userId, accessClient);
|
||||
var policies = request.ToBaseAccessPoliciesForServiceAccount(id, serviceAccount.OrganizationId);
|
||||
foreach (var policy in policies)
|
||||
{
|
||||
var authorizationResult = await _authorizationService.AuthorizeAsync(User, policy, AccessPolicyOperations.Create);
|
||||
if (!authorizationResult.Succeeded)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
}
|
||||
|
||||
var results = await _createAccessPoliciesCommand.CreateManyAsync(policies);
|
||||
return new ServiceAccountAccessPoliciesResponseModel(results);
|
||||
}
|
||||
|
||||
@ -128,17 +148,29 @@ public class AccessPoliciesController : Controller
|
||||
throw new BadRequestException($"Can process no more than {_maxBulkCreation} creation requests at once.");
|
||||
}
|
||||
|
||||
if (requests.Count != requests.DistinctBy(request => request.GrantedId).Count())
|
||||
{
|
||||
throw new BadRequestException("Resources must be unique");
|
||||
}
|
||||
|
||||
var serviceAccount = await _serviceAccountRepository.GetByIdAsync(id);
|
||||
if (serviceAccount == null)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
var (accessClient, userId) = await GetAccessClientTypeAsync(serviceAccount.OrganizationId);
|
||||
var policies = requests.Select(request => request.ToServiceAccountProjectAccessPolicy(id));
|
||||
var policies = requests.Select(request => request.ToServiceAccountProjectAccessPolicy(id, serviceAccount.OrganizationId)).ToList();
|
||||
foreach (var policy in policies)
|
||||
{
|
||||
var authorizationResult = await _authorizationService.AuthorizeAsync(User, policy, AccessPolicyOperations.Create);
|
||||
if (!authorizationResult.Succeeded)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
}
|
||||
|
||||
var results =
|
||||
await _createAccessPoliciesCommand.CreateManyAsync(new List<BaseAccessPolicy>(policies), userId,
|
||||
accessClient);
|
||||
await _createAccessPoliciesCommand.CreateManyAsync(new List<BaseAccessPolicy>(policies));
|
||||
var responses = results.Select(ap =>
|
||||
new ServiceAccountProjectAccessPolicyResponseModel((ServiceAccountProjectAccessPolicy)ap));
|
||||
return new ListResponseModel<ServiceAccountProjectAccessPolicyResponseModel>(responses);
|
||||
@ -165,8 +197,15 @@ public class AccessPoliciesController : Controller
|
||||
public async Task<BaseAccessPolicyResponseModel> UpdateAccessPolicyAsync([FromRoute] Guid id,
|
||||
[FromBody] AccessPolicyUpdateRequest request)
|
||||
{
|
||||
var userId = _userService.GetProperUserId(User).Value;
|
||||
var result = await _updateAccessPolicyCommand.UpdateAsync(id, request.Read, request.Write, userId);
|
||||
var ap = await _accessPolicyRepository.GetByIdAsync(id);
|
||||
var authorizationResult =
|
||||
await _authorizationService.AuthorizeAsync(User, ap, AccessPolicyOperations.Update);
|
||||
if (!authorizationResult.Succeeded)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
var result = await _updateAccessPolicyCommand.UpdateAsync(id, request.Read, request.Write);
|
||||
|
||||
return result switch
|
||||
{
|
||||
@ -185,8 +224,15 @@ public class AccessPoliciesController : Controller
|
||||
[HttpDelete("{id}")]
|
||||
public async Task DeleteAccessPolicyAsync([FromRoute] Guid id)
|
||||
{
|
||||
var userId = _userService.GetProperUserId(User).Value;
|
||||
await _deleteAccessPolicyCommand.DeleteAsync(id, userId);
|
||||
var ap = await _accessPolicyRepository.GetByIdAsync(id);
|
||||
var authorizationResult =
|
||||
await _authorizationService.AuthorizeAsync(User, ap, AccessPolicyOperations.Delete);
|
||||
if (!authorizationResult.Succeeded)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
await _deleteAccessPolicyCommand.DeleteAsync(id);
|
||||
}
|
||||
|
||||
[HttpGet("/organizations/{id}/access-policies/people/potential-grantees")]
|
||||
|
@ -7,13 +7,36 @@ namespace Bit.Api.SecretsManager.Models.Request;
|
||||
|
||||
public class AccessPoliciesCreateRequest
|
||||
{
|
||||
private static void CheckForDistinctAccessPolicies(IReadOnlyCollection<BaseAccessPolicy> accessPolicies)
|
||||
{
|
||||
var distinctAccessPolicies = accessPolicies.DistinctBy(baseAccessPolicy =>
|
||||
{
|
||||
return baseAccessPolicy switch
|
||||
{
|
||||
UserProjectAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.OrganizationUserId, ap.GrantedProjectId),
|
||||
GroupProjectAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.GroupId, ap.GrantedProjectId),
|
||||
ServiceAccountProjectAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.ServiceAccountId,
|
||||
ap.GrantedProjectId),
|
||||
UserServiceAccountAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.OrganizationUserId,
|
||||
ap.GrantedServiceAccountId),
|
||||
GroupServiceAccountAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.GroupId, ap.GrantedServiceAccountId),
|
||||
_ => throw new ArgumentException("Unsupported access policy type provided.", nameof(baseAccessPolicy)),
|
||||
};
|
||||
}).ToList();
|
||||
|
||||
if (accessPolicies.Count != distinctAccessPolicies.Count)
|
||||
{
|
||||
throw new BadRequestException("Resources must be unique");
|
||||
}
|
||||
}
|
||||
|
||||
public IEnumerable<AccessPolicyRequest>? UserAccessPolicyRequests { get; set; }
|
||||
|
||||
public IEnumerable<AccessPolicyRequest>? GroupAccessPolicyRequests { get; set; }
|
||||
|
||||
public IEnumerable<AccessPolicyRequest>? ServiceAccountAccessPolicyRequests { get; set; }
|
||||
|
||||
public List<BaseAccessPolicy> ToBaseAccessPoliciesForProject(Guid grantedProjectId)
|
||||
public List<BaseAccessPolicy> ToBaseAccessPoliciesForProject(Guid grantedProjectId, Guid organizationId)
|
||||
{
|
||||
if (UserAccessPolicyRequests == null && GroupAccessPolicyRequests == null && ServiceAccountAccessPolicyRequests == null)
|
||||
{
|
||||
@ -21,13 +44,13 @@ public class AccessPoliciesCreateRequest
|
||||
}
|
||||
|
||||
var userAccessPolicies = UserAccessPolicyRequests?
|
||||
.Select(x => x.ToUserProjectAccessPolicy(grantedProjectId)).ToList();
|
||||
.Select(x => x.ToUserProjectAccessPolicy(grantedProjectId, organizationId)).ToList();
|
||||
|
||||
var groupAccessPolicies = GroupAccessPolicyRequests?
|
||||
.Select(x => x.ToGroupProjectAccessPolicy(grantedProjectId)).ToList();
|
||||
.Select(x => x.ToGroupProjectAccessPolicy(grantedProjectId, organizationId)).ToList();
|
||||
|
||||
var serviceAccountAccessPolicies = ServiceAccountAccessPolicyRequests?
|
||||
.Select(x => x.ToServiceAccountProjectAccessPolicy(grantedProjectId)).ToList();
|
||||
.Select(x => x.ToServiceAccountProjectAccessPolicy(grantedProjectId, organizationId)).ToList();
|
||||
|
||||
var policies = new List<BaseAccessPolicy>();
|
||||
if (userAccessPolicies != null)
|
||||
@ -44,10 +67,12 @@ public class AccessPoliciesCreateRequest
|
||||
{
|
||||
policies.AddRange(serviceAccountAccessPolicies);
|
||||
}
|
||||
|
||||
CheckForDistinctAccessPolicies(policies);
|
||||
return policies;
|
||||
}
|
||||
|
||||
public List<BaseAccessPolicy> ToBaseAccessPoliciesForServiceAccount(Guid grantedServiceAccountId)
|
||||
public List<BaseAccessPolicy> ToBaseAccessPoliciesForServiceAccount(Guid grantedServiceAccountId, Guid organizationId)
|
||||
{
|
||||
if (UserAccessPolicyRequests == null && GroupAccessPolicyRequests == null)
|
||||
{
|
||||
@ -55,10 +80,10 @@ public class AccessPoliciesCreateRequest
|
||||
}
|
||||
|
||||
var userAccessPolicies = UserAccessPolicyRequests?
|
||||
.Select(x => x.ToUserServiceAccountAccessPolicy(grantedServiceAccountId)).ToList();
|
||||
.Select(x => x.ToUserServiceAccountAccessPolicy(grantedServiceAccountId, organizationId)).ToList();
|
||||
|
||||
var groupAccessPolicies = GroupAccessPolicyRequests?
|
||||
.Select(x => x.ToGroupServiceAccountAccessPolicy(grantedServiceAccountId)).ToList();
|
||||
.Select(x => x.ToGroupServiceAccountAccessPolicy(grantedServiceAccountId, organizationId)).ToList();
|
||||
|
||||
var policies = new List<BaseAccessPolicy>();
|
||||
if (userAccessPolicies != null)
|
||||
@ -70,6 +95,8 @@ public class AccessPoliciesCreateRequest
|
||||
{
|
||||
policies.AddRange(groupAccessPolicies);
|
||||
}
|
||||
|
||||
CheckForDistinctAccessPolicies(policies);
|
||||
return policies;
|
||||
}
|
||||
|
||||
@ -105,47 +132,52 @@ public class AccessPolicyRequest
|
||||
[Required]
|
||||
public bool Write { get; set; }
|
||||
|
||||
public UserProjectAccessPolicy ToUserProjectAccessPolicy(Guid projectId) =>
|
||||
public UserProjectAccessPolicy ToUserProjectAccessPolicy(Guid projectId, Guid organizationId) =>
|
||||
new()
|
||||
{
|
||||
OrganizationUserId = GranteeId,
|
||||
GrantedProjectId = projectId,
|
||||
GrantedProject = new Project { OrganizationId = organizationId, Id = projectId },
|
||||
Read = Read,
|
||||
Write = Write
|
||||
};
|
||||
|
||||
public GroupProjectAccessPolicy ToGroupProjectAccessPolicy(Guid projectId) =>
|
||||
public GroupProjectAccessPolicy ToGroupProjectAccessPolicy(Guid projectId, Guid organizationId) =>
|
||||
new()
|
||||
{
|
||||
GroupId = GranteeId,
|
||||
GrantedProjectId = projectId,
|
||||
GrantedProject = new Project { OrganizationId = organizationId, Id = projectId },
|
||||
Read = Read,
|
||||
Write = Write
|
||||
};
|
||||
|
||||
public ServiceAccountProjectAccessPolicy ToServiceAccountProjectAccessPolicy(Guid projectId) =>
|
||||
public ServiceAccountProjectAccessPolicy ToServiceAccountProjectAccessPolicy(Guid projectId, Guid organizationId) =>
|
||||
new()
|
||||
{
|
||||
ServiceAccountId = GranteeId,
|
||||
GrantedProjectId = projectId,
|
||||
GrantedProject = new Project { OrganizationId = organizationId, Id = projectId },
|
||||
Read = Read,
|
||||
Write = Write
|
||||
};
|
||||
|
||||
public UserServiceAccountAccessPolicy ToUserServiceAccountAccessPolicy(Guid id) =>
|
||||
public UserServiceAccountAccessPolicy ToUserServiceAccountAccessPolicy(Guid id, Guid organizationId) =>
|
||||
new()
|
||||
{
|
||||
OrganizationUserId = GranteeId,
|
||||
GrantedServiceAccountId = id,
|
||||
GrantedServiceAccount = new ServiceAccount() { OrganizationId = organizationId, Id = id },
|
||||
Read = Read,
|
||||
Write = Write
|
||||
};
|
||||
|
||||
public GroupServiceAccountAccessPolicy ToGroupServiceAccountAccessPolicy(Guid id) =>
|
||||
public GroupServiceAccountAccessPolicy ToGroupServiceAccountAccessPolicy(Guid id, Guid organizationId) =>
|
||||
new()
|
||||
{
|
||||
GroupId = GranteeId,
|
||||
GrantedServiceAccountId = id,
|
||||
GrantedServiceAccount = new ServiceAccount() { OrganizationId = organizationId, Id = id },
|
||||
Read = Read,
|
||||
Write = Write
|
||||
};
|
||||
|
@ -1,5 +1,6 @@
|
||||
using System.ComponentModel.DataAnnotations;
|
||||
using Bit.Core.SecretsManager.Entities;
|
||||
using Bit.Infrastructure.EntityFramework.SecretsManager.Models;
|
||||
using ServiceAccountProjectAccessPolicy = Bit.Core.SecretsManager.Entities.ServiceAccountProjectAccessPolicy;
|
||||
|
||||
namespace Bit.Api.SecretsManager.Models.Request;
|
||||
|
||||
@ -14,10 +15,11 @@ public class GrantedAccessPolicyRequest
|
||||
[Required]
|
||||
public bool Write { get; set; }
|
||||
|
||||
public ServiceAccountProjectAccessPolicy ToServiceAccountProjectAccessPolicy(Guid serviceAccountId) =>
|
||||
public ServiceAccountProjectAccessPolicy ToServiceAccountProjectAccessPolicy(Guid serviceAccountId, Guid organizationId) =>
|
||||
new()
|
||||
{
|
||||
ServiceAccountId = serviceAccountId,
|
||||
ServiceAccount = new ServiceAccount() { Id = serviceAccountId, OrganizationId = organizationId },
|
||||
GrantedProjectId = GrantedId,
|
||||
Read = Read,
|
||||
Write = Write,
|
||||
|
@ -0,0 +1,14 @@
|
||||
using Microsoft.AspNetCore.Authorization.Infrastructure;
|
||||
|
||||
namespace Bit.Core.SecretsManager.AuthorizationRequirements;
|
||||
|
||||
public class AccessPolicyOperationRequirement : OperationAuthorizationRequirement
|
||||
{
|
||||
}
|
||||
|
||||
public static class AccessPolicyOperations
|
||||
{
|
||||
public static readonly AccessPolicyOperationRequirement Create = new() { Name = nameof(Create) };
|
||||
public static readonly AccessPolicyOperationRequirement Update = new() { Name = nameof(Update) };
|
||||
public static readonly AccessPolicyOperationRequirement Delete = new() { Name = nameof(Delete) };
|
||||
}
|
@ -1,9 +1,8 @@
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.SecretsManager.Entities;
|
||||
using Bit.Core.SecretsManager.Entities;
|
||||
|
||||
namespace Bit.Core.SecretsManager.Commands.AccessPolicies.Interfaces;
|
||||
|
||||
public interface ICreateAccessPoliciesCommand
|
||||
{
|
||||
Task<IEnumerable<BaseAccessPolicy>> CreateManyAsync(List<BaseAccessPolicy> accessPolicies, Guid userId, AccessClientType accessType);
|
||||
Task<IEnumerable<BaseAccessPolicy>> CreateManyAsync(List<BaseAccessPolicy> accessPolicies);
|
||||
}
|
||||
|
@ -2,5 +2,5 @@
|
||||
|
||||
public interface IDeleteAccessPolicyCommand
|
||||
{
|
||||
Task DeleteAsync(Guid id, Guid userId);
|
||||
Task DeleteAsync(Guid id);
|
||||
}
|
||||
|
@ -4,5 +4,5 @@ namespace Bit.Core.SecretsManager.Commands.AccessPolicies.Interfaces;
|
||||
|
||||
public interface IUpdateAccessPolicyCommand
|
||||
{
|
||||
public Task<BaseAccessPolicy> UpdateAsync(Guid id, bool read, bool write, Guid userId);
|
||||
public Task<BaseAccessPolicy> UpdateAsync(Guid id, bool read, bool write);
|
||||
}
|
||||
|
@ -12,13 +12,32 @@ public class AccessPolicyMapperProfile : Profile
|
||||
{
|
||||
public AccessPolicyMapperProfile()
|
||||
{
|
||||
CreateMap<Core.SecretsManager.Entities.UserProjectAccessPolicy, UserProjectAccessPolicy>().ReverseMap()
|
||||
CreateMap<Core.SecretsManager.Entities.UserProjectAccessPolicy, UserProjectAccessPolicy>()
|
||||
.ForMember(dst => dst.GrantedProject, opt => opt.Ignore())
|
||||
.ForMember(dst => dst.OrganizationUser, opt => opt.Ignore())
|
||||
.ReverseMap()
|
||||
.ForMember(dst => dst.User, opt => opt.MapFrom(src => src.OrganizationUser.User));
|
||||
CreateMap<Core.SecretsManager.Entities.UserServiceAccountAccessPolicy, UserServiceAccountAccessPolicy>().ReverseMap()
|
||||
|
||||
CreateMap<Core.SecretsManager.Entities.UserServiceAccountAccessPolicy, UserServiceAccountAccessPolicy>()
|
||||
.ForMember(dst => dst.GrantedServiceAccount, opt => opt.Ignore())
|
||||
.ForMember(dst => dst.OrganizationUser, opt => opt.Ignore())
|
||||
.ReverseMap()
|
||||
.ForMember(dst => dst.User, opt => opt.MapFrom(src => src.OrganizationUser.User));
|
||||
CreateMap<Core.SecretsManager.Entities.GroupProjectAccessPolicy, GroupProjectAccessPolicy>().ReverseMap();
|
||||
CreateMap<Core.SecretsManager.Entities.GroupServiceAccountAccessPolicy, GroupServiceAccountAccessPolicy>().ReverseMap();
|
||||
CreateMap<Core.SecretsManager.Entities.ServiceAccountProjectAccessPolicy, ServiceAccountProjectAccessPolicy>().ReverseMap();
|
||||
|
||||
CreateMap<Core.SecretsManager.Entities.GroupProjectAccessPolicy, GroupProjectAccessPolicy>()
|
||||
.ForMember(dst => dst.GrantedProject, opt => opt.Ignore())
|
||||
.ForMember(dst => dst.Group, opt => opt.Ignore())
|
||||
.ReverseMap();
|
||||
|
||||
CreateMap<Core.SecretsManager.Entities.GroupServiceAccountAccessPolicy, GroupServiceAccountAccessPolicy>()
|
||||
.ForMember(dst => dst.GrantedServiceAccount, opt => opt.Ignore())
|
||||
.ForMember(dst => dst.Group, opt => opt.Ignore())
|
||||
.ReverseMap();
|
||||
|
||||
CreateMap<Core.SecretsManager.Entities.ServiceAccountProjectAccessPolicy, ServiceAccountProjectAccessPolicy>()
|
||||
.ForMember(dst => dst.GrantedProject, opt => opt.Ignore())
|
||||
.ForMember(dst => dst.ServiceAccount, opt => opt.Ignore())
|
||||
.ReverseMap();
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -64,79 +64,93 @@ public class AccessPoliciesControllerTests : IClassFixture<ApiApplicationFactory
|
||||
var (org, _) = await _organizationHelper.Initialize(useSecrets, accessSecrets);
|
||||
await LoginAsync(_email);
|
||||
|
||||
var project = await _projectRepository.CreateAsync(new Project
|
||||
{
|
||||
OrganizationId = org.Id,
|
||||
Name = _mockEncryptedString,
|
||||
});
|
||||
|
||||
var serviceAccount = await _serviceAccountRepository.CreateAsync(new ServiceAccount
|
||||
{
|
||||
OrganizationId = org.Id,
|
||||
Name = _mockEncryptedString,
|
||||
});
|
||||
var (projectId, serviceAccountId) = await CreateProjectAndServiceAccountAsync(org.Id);
|
||||
|
||||
var request = new AccessPoliciesCreateRequest
|
||||
{
|
||||
ServiceAccountAccessPolicyRequests = new List<AccessPolicyRequest>
|
||||
{
|
||||
new() { GranteeId = serviceAccount.Id, Read = true, Write = true },
|
||||
new() { GranteeId = serviceAccountId, Read = true, Write = true },
|
||||
},
|
||||
};
|
||||
|
||||
var response = await _client.PostAsJsonAsync($"/projects/{project.Id}/access-policies", request);
|
||||
var response = await _client.PostAsJsonAsync($"/projects/{projectId}/access-policies", request);
|
||||
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task CreateProjectAccessPolicies_NoPermission()
|
||||
{
|
||||
// Create a new account as a user
|
||||
var (org, _) = await _organizationHelper.Initialize(true, true);
|
||||
var (email, _) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
|
||||
await LoginAsync(email);
|
||||
|
||||
var (projectId, serviceAccountId) = await CreateProjectAndServiceAccountAsync(org.Id);
|
||||
var request = new AccessPoliciesCreateRequest
|
||||
{
|
||||
ServiceAccountAccessPolicyRequests = new List<AccessPolicyRequest>
|
||||
{
|
||||
new() { GranteeId = serviceAccountId, Read = true, Write = true },
|
||||
},
|
||||
};
|
||||
|
||||
var response = await _client.PostAsJsonAsync($"/projects/{projectId}/access-policies", request);
|
||||
|
||||
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[InlineData(PermissionType.RunAsAdmin)]
|
||||
[InlineData(PermissionType.RunAsUserWithPermission)]
|
||||
public async Task CreateProjectAccessPolicies(PermissionType permissionType)
|
||||
public async Task CreateProjectAccessPolicies_MismatchedOrgIds_NotFound(PermissionType permissionType)
|
||||
{
|
||||
var (org, _) = await _organizationHelper.Initialize(true, true);
|
||||
await LoginAsync(_email);
|
||||
|
||||
var project = await _projectRepository.CreateAsync(new Project
|
||||
{
|
||||
OrganizationId = org.Id,
|
||||
Name = _mockEncryptedString,
|
||||
});
|
||||
|
||||
if (permissionType == PermissionType.RunAsUserWithPermission)
|
||||
{
|
||||
var (email, orgUser) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
|
||||
await LoginAsync(email);
|
||||
var accessPolicies = new List<BaseAccessPolicy>
|
||||
{
|
||||
new UserProjectAccessPolicy
|
||||
{
|
||||
GrantedProjectId = project.Id, OrganizationUserId = orgUser.Id, Read = true, Write = true,
|
||||
},
|
||||
};
|
||||
await _accessPolicyRepository.CreateManyAsync(accessPolicies);
|
||||
}
|
||||
|
||||
var serviceAccount = await _serviceAccountRepository.CreateAsync(new ServiceAccount
|
||||
{
|
||||
OrganizationId = org.Id,
|
||||
Name = _mockEncryptedString,
|
||||
});
|
||||
var (projectId, serviceAccountId) = await CreateProjectAndServiceAccountAsync(org.Id, true);
|
||||
await SetupProjectAndServiceAccountPermissionAsync(permissionType, projectId, serviceAccountId);
|
||||
|
||||
var request = new AccessPoliciesCreateRequest
|
||||
{
|
||||
ServiceAccountAccessPolicyRequests = new List<AccessPolicyRequest>
|
||||
{
|
||||
new() { GranteeId = serviceAccount.Id, Read = true, Write = true },
|
||||
new() { GranteeId = serviceAccountId, Read = true, Write = true },
|
||||
},
|
||||
};
|
||||
|
||||
var response = await _client.PostAsJsonAsync($"/projects/{project.Id}/access-policies", request);
|
||||
|
||||
var response = await _client.PostAsJsonAsync($"/projects/{projectId}/access-policies", request);
|
||||
|
||||
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[InlineData(PermissionType.RunAsAdmin)]
|
||||
[InlineData(PermissionType.RunAsUserWithPermission)]
|
||||
public async Task CreateProjectAccessPolicies_Success(PermissionType permissionType)
|
||||
{
|
||||
var (org, _) = await _organizationHelper.Initialize(true, true);
|
||||
await LoginAsync(_email);
|
||||
|
||||
var (projectId, serviceAccountId) = await CreateProjectAndServiceAccountAsync(org.Id);
|
||||
await SetupProjectAndServiceAccountPermissionAsync(permissionType, projectId, serviceAccountId);
|
||||
|
||||
var request = new AccessPoliciesCreateRequest
|
||||
{
|
||||
ServiceAccountAccessPolicyRequests = new List<AccessPolicyRequest>
|
||||
{
|
||||
new() { GranteeId = serviceAccountId, Read = true, Write = true },
|
||||
},
|
||||
};
|
||||
|
||||
var response = await _client.PostAsJsonAsync($"/projects/{projectId}/access-policies", request);
|
||||
response.EnsureSuccessStatusCode();
|
||||
|
||||
var result = await response.Content.ReadFromJsonAsync<ProjectAccessPoliciesResponseModel>();
|
||||
|
||||
Assert.NotNull(result);
|
||||
Assert.Equal(serviceAccount.Id, result!.ServiceAccountAccessPolicies.First().ServiceAccountId);
|
||||
Assert.Equal(serviceAccountId, result!.ServiceAccountAccessPolicies.First().ServiceAccountId);
|
||||
Assert.True(result.ServiceAccountAccessPolicies.First().Read);
|
||||
Assert.True(result.ServiceAccountAccessPolicies.First().Write);
|
||||
AssertHelper.AssertRecent(result.ServiceAccountAccessPolicies.First().RevisionDate);
|
||||
@ -152,39 +166,6 @@ public class AccessPoliciesControllerTests : IClassFixture<ApiApplicationFactory
|
||||
AssertHelper.AssertRecent(createdAccessPolicy.RevisionDate);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task CreateProjectAccessPolicies_NoPermission()
|
||||
{
|
||||
// Create a new account as a user
|
||||
var (org, _) = await _organizationHelper.Initialize(true, true);
|
||||
var (email, _) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
|
||||
await LoginAsync(email);
|
||||
|
||||
var project = await _projectRepository.CreateAsync(new Project
|
||||
{
|
||||
OrganizationId = org.Id,
|
||||
Name = _mockEncryptedString,
|
||||
});
|
||||
|
||||
var serviceAccount = await _serviceAccountRepository.CreateAsync(new ServiceAccount
|
||||
{
|
||||
OrganizationId = org.Id,
|
||||
Name = _mockEncryptedString,
|
||||
});
|
||||
|
||||
var request = new AccessPoliciesCreateRequest
|
||||
{
|
||||
ServiceAccountAccessPolicyRequests = new List<AccessPolicyRequest>
|
||||
{
|
||||
new() { GranteeId = serviceAccount.Id, Read = true, Write = true },
|
||||
},
|
||||
};
|
||||
|
||||
var response = await _client.PostAsJsonAsync($"/projects/{project.Id}/access-policies", request);
|
||||
|
||||
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[InlineData(false, false)]
|
||||
[InlineData(true, false)]
|
||||
@ -225,7 +206,7 @@ public class AccessPoliciesControllerTests : IClassFixture<ApiApplicationFactory
|
||||
[Theory]
|
||||
[InlineData(PermissionType.RunAsAdmin)]
|
||||
[InlineData(PermissionType.RunAsUserWithPermission)]
|
||||
public async Task UpdateAccessPolicy(PermissionType permissionType)
|
||||
public async Task UpdateAccessPolicy_Success(PermissionType permissionType)
|
||||
{
|
||||
var (org, _) = await _organizationHelper.Initialize(true, true);
|
||||
await LoginAsync(_email);
|
||||
@ -298,7 +279,7 @@ public class AccessPoliciesControllerTests : IClassFixture<ApiApplicationFactory
|
||||
[Theory]
|
||||
[InlineData(PermissionType.RunAsAdmin)]
|
||||
[InlineData(PermissionType.RunAsUserWithPermission)]
|
||||
public async Task DeleteAccessPolicy(PermissionType permissionType)
|
||||
public async Task DeleteAccessPolicy_Success(PermissionType permissionType)
|
||||
{
|
||||
var (org, _) = await _organizationHelper.Initialize(true, true);
|
||||
await LoginAsync(_email);
|
||||
@ -644,7 +625,30 @@ public class AccessPoliciesControllerTests : IClassFixture<ApiApplicationFactory
|
||||
[Theory]
|
||||
[InlineData(PermissionType.RunAsAdmin)]
|
||||
[InlineData(PermissionType.RunAsUserWithPermission)]
|
||||
public async Task CreateServiceAccountAccessPolicies(PermissionType permissionType)
|
||||
public async Task CreateServiceAccountAccessPolicies_MismatchOrgId_NotFound(PermissionType permissionType)
|
||||
{
|
||||
var (org, orgUser) = await _organizationHelper.Initialize(true, true);
|
||||
await LoginAsync(_email);
|
||||
var ownerOrgUserId = orgUser.Id;
|
||||
|
||||
var serviceAccount = await _serviceAccountRepository.CreateAsync(new ServiceAccount
|
||||
{
|
||||
OrganizationId = Guid.NewGuid(),
|
||||
Name = _mockEncryptedString,
|
||||
});
|
||||
var request =
|
||||
await SetupUserServiceAccountAccessPolicyRequestAsync(permissionType, org.Id, orgUser.Id,
|
||||
serviceAccount.Id);
|
||||
|
||||
var response =
|
||||
await _client.PostAsJsonAsync($"/service-accounts/{serviceAccount.Id}/access-policies", request);
|
||||
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[InlineData(PermissionType.RunAsAdmin)]
|
||||
[InlineData(PermissionType.RunAsUserWithPermission)]
|
||||
public async Task CreateServiceAccountAccessPolicies_Success(PermissionType permissionType)
|
||||
{
|
||||
var (org, orgUser) = await _organizationHelper.Initialize(true, true);
|
||||
await LoginAsync(_email);
|
||||
@ -655,41 +659,9 @@ public class AccessPoliciesControllerTests : IClassFixture<ApiApplicationFactory
|
||||
OrganizationId = org.Id,
|
||||
Name = _mockEncryptedString,
|
||||
});
|
||||
|
||||
var request = new AccessPoliciesCreateRequest
|
||||
{
|
||||
UserAccessPolicyRequests = new List<AccessPolicyRequest>
|
||||
{
|
||||
new() { GranteeId = orgUser.Id, Read = true, Write = true },
|
||||
},
|
||||
};
|
||||
|
||||
|
||||
if (permissionType == PermissionType.RunAsUserWithPermission)
|
||||
{
|
||||
var (email, newOrgUser) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
|
||||
await LoginAsync(email);
|
||||
var accessPolicies = new List<BaseAccessPolicy>
|
||||
{
|
||||
new UserServiceAccountAccessPolicy
|
||||
{
|
||||
GrantedServiceAccountId = serviceAccount.Id,
|
||||
OrganizationUserId = newOrgUser.Id,
|
||||
Read = true,
|
||||
Write = true,
|
||||
},
|
||||
};
|
||||
await _accessPolicyRepository.CreateManyAsync(accessPolicies);
|
||||
|
||||
request = new AccessPoliciesCreateRequest
|
||||
{
|
||||
UserAccessPolicyRequests = new List<AccessPolicyRequest>
|
||||
{
|
||||
new() { GranteeId = ownerOrgUserId, Read = true, Write = true },
|
||||
},
|
||||
};
|
||||
}
|
||||
|
||||
var request =
|
||||
await SetupUserServiceAccountAccessPolicyRequestAsync(permissionType, org.Id, orgUser.Id,
|
||||
serviceAccount.Id);
|
||||
|
||||
var response =
|
||||
await _client.PostAsJsonAsync($"/service-accounts/{serviceAccount.Id}/access-policies", request);
|
||||
@ -860,67 +832,6 @@ public class AccessPoliciesControllerTests : IClassFixture<ApiApplicationFactory
|
||||
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[InlineData(PermissionType.RunAsAdmin)]
|
||||
[InlineData(PermissionType.RunAsUserWithPermission)]
|
||||
public async Task CreateServiceAccountGrantedPolicies(PermissionType permissionType)
|
||||
{
|
||||
var (org, orgUser) = await _organizationHelper.Initialize(true, true);
|
||||
await LoginAsync(_email);
|
||||
var ownerOrgUserId = orgUser.Id;
|
||||
|
||||
var serviceAccount = await _serviceAccountRepository.CreateAsync(new ServiceAccount
|
||||
{
|
||||
OrganizationId = org.Id,
|
||||
Name = _mockEncryptedString,
|
||||
});
|
||||
|
||||
var project = await _projectRepository.CreateAsync(new Project
|
||||
{
|
||||
OrganizationId = org.Id,
|
||||
Name = _mockEncryptedString,
|
||||
});
|
||||
|
||||
var request =
|
||||
new List<GrantedAccessPolicyRequest> { new() { GrantedId = project.Id, Read = true, Write = true } };
|
||||
|
||||
|
||||
if (permissionType == PermissionType.RunAsUserWithPermission)
|
||||
{
|
||||
var (email, newOrgUser) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
|
||||
await LoginAsync(email);
|
||||
var accessPolicies = new List<BaseAccessPolicy>
|
||||
{
|
||||
new UserProjectAccessPolicy
|
||||
{
|
||||
GrantedProjectId = project.Id, OrganizationUserId = newOrgUser.Id, Read = true, Write = true,
|
||||
},
|
||||
};
|
||||
await _accessPolicyRepository.CreateManyAsync(accessPolicies);
|
||||
}
|
||||
|
||||
|
||||
var response =
|
||||
await _client.PostAsJsonAsync($"/service-accounts/{serviceAccount.Id}/granted-policies", request);
|
||||
response.EnsureSuccessStatusCode();
|
||||
|
||||
var result = await response.Content
|
||||
.ReadFromJsonAsync<ListResponseModel<ServiceAccountProjectAccessPolicyResponseModel>>();
|
||||
|
||||
Assert.NotNull(result);
|
||||
Assert.NotEmpty(result!.Data);
|
||||
Assert.Equal(project.Id, result.Data.First().GrantedProjectId);
|
||||
|
||||
var createdAccessPolicy =
|
||||
await _accessPolicyRepository.GetByIdAsync(result.Data.First().Id);
|
||||
Assert.NotNull(createdAccessPolicy);
|
||||
Assert.Equal(result.Data.First().Read, createdAccessPolicy!.Read);
|
||||
Assert.Equal(result.Data.First().Write, createdAccessPolicy.Write);
|
||||
Assert.Equal(result.Data.First().Id, createdAccessPolicy.Id);
|
||||
AssertHelper.AssertRecent(createdAccessPolicy.CreationDate);
|
||||
AssertHelper.AssertRecent(createdAccessPolicy.RevisionDate);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task CreateServiceAccountGrantedPolicies_NoPermission()
|
||||
{
|
||||
@ -949,6 +860,63 @@ public class AccessPoliciesControllerTests : IClassFixture<ApiApplicationFactory
|
||||
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[InlineData(PermissionType.RunAsAdmin)]
|
||||
[InlineData(PermissionType.RunAsUserWithPermission)]
|
||||
public async Task CreateServiceAccountGrantedPolicies_MismatchedOrgId_NotFound(PermissionType permissionType)
|
||||
{
|
||||
var (org, orgUser) = await _organizationHelper.Initialize(true, true);
|
||||
await LoginAsync(_email);
|
||||
var ownerOrgUserId = orgUser.Id;
|
||||
|
||||
var (projectId, serviceAccountId) = await CreateProjectAndServiceAccountAsync(org.Id, true);
|
||||
await SetupProjectAndServiceAccountPermissionAsync(permissionType, projectId, serviceAccountId);
|
||||
|
||||
var request =
|
||||
new List<GrantedAccessPolicyRequest> { new() { GrantedId = projectId, Read = true, Write = true } };
|
||||
|
||||
var response =
|
||||
await _client.PostAsJsonAsync($"/service-accounts/{serviceAccountId}/granted-policies", request);
|
||||
Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
|
||||
}
|
||||
|
||||
|
||||
[Theory]
|
||||
[InlineData(PermissionType.RunAsAdmin)]
|
||||
[InlineData(PermissionType.RunAsUserWithPermission)]
|
||||
public async Task CreateServiceAccountGrantedPolicies_Success(PermissionType permissionType)
|
||||
{
|
||||
var (org, orgUser) = await _organizationHelper.Initialize(true, true);
|
||||
await LoginAsync(_email);
|
||||
var ownerOrgUserId = orgUser.Id;
|
||||
|
||||
var (projectId, serviceAccountId) = await CreateProjectAndServiceAccountAsync(org.Id);
|
||||
await SetupProjectAndServiceAccountPermissionAsync(permissionType, projectId, serviceAccountId);
|
||||
|
||||
var request =
|
||||
new List<GrantedAccessPolicyRequest> { new() { GrantedId = projectId, Read = true, Write = true } };
|
||||
|
||||
var response =
|
||||
await _client.PostAsJsonAsync($"/service-accounts/{serviceAccountId}/granted-policies", request);
|
||||
response.EnsureSuccessStatusCode();
|
||||
|
||||
var result = await response.Content
|
||||
.ReadFromJsonAsync<ListResponseModel<ServiceAccountProjectAccessPolicyResponseModel>>();
|
||||
|
||||
Assert.NotNull(result);
|
||||
Assert.NotEmpty(result!.Data);
|
||||
Assert.Equal(projectId, result.Data.First().GrantedProjectId);
|
||||
|
||||
var createdAccessPolicy =
|
||||
await _accessPolicyRepository.GetByIdAsync(result.Data.First().Id);
|
||||
Assert.NotNull(createdAccessPolicy);
|
||||
Assert.Equal(result.Data.First().Read, createdAccessPolicy!.Read);
|
||||
Assert.Equal(result.Data.First().Write, createdAccessPolicy.Write);
|
||||
Assert.Equal(result.Data.First().Id, createdAccessPolicy.Id);
|
||||
AssertHelper.AssertRecent(createdAccessPolicy.CreationDate);
|
||||
AssertHelper.AssertRecent(createdAccessPolicy.RevisionDate);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[InlineData(false, false)]
|
||||
[InlineData(true, false)]
|
||||
@ -1071,6 +1039,78 @@ public class AccessPoliciesControllerTests : IClassFixture<ApiApplicationFactory
|
||||
};
|
||||
}
|
||||
|
||||
private async Task<(Guid ProjectId, Guid ServiceAccountId)> CreateProjectAndServiceAccountAsync(Guid organizationId,
|
||||
bool misMatchOrganization = false)
|
||||
{
|
||||
var project = await _projectRepository.CreateAsync(new Project
|
||||
{
|
||||
OrganizationId = misMatchOrganization ? Guid.NewGuid() : organizationId,
|
||||
Name = _mockEncryptedString,
|
||||
});
|
||||
|
||||
var serviceAccount = await _serviceAccountRepository.CreateAsync(new ServiceAccount
|
||||
{
|
||||
OrganizationId = organizationId,
|
||||
Name = _mockEncryptedString,
|
||||
});
|
||||
|
||||
return (project.Id, serviceAccount.Id);
|
||||
}
|
||||
|
||||
private async Task SetupProjectAndServiceAccountPermissionAsync(PermissionType permissionType, Guid projectId,
|
||||
Guid serviceAccountId)
|
||||
{
|
||||
if (permissionType == PermissionType.RunAsUserWithPermission)
|
||||
{
|
||||
var (email, orgUser) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
|
||||
await LoginAsync(email);
|
||||
var accessPolicies = new List<BaseAccessPolicy>
|
||||
{
|
||||
new UserProjectAccessPolicy
|
||||
{
|
||||
GrantedProjectId = projectId, OrganizationUserId = orgUser.Id, Read = true, Write = true,
|
||||
},
|
||||
new UserServiceAccountAccessPolicy
|
||||
{
|
||||
GrantedServiceAccountId = serviceAccountId,
|
||||
OrganizationUserId = orgUser.Id,
|
||||
Read = true,
|
||||
Write = true,
|
||||
},
|
||||
};
|
||||
await _accessPolicyRepository.CreateManyAsync(accessPolicies);
|
||||
}
|
||||
}
|
||||
|
||||
private async Task<AccessPoliciesCreateRequest> SetupUserServiceAccountAccessPolicyRequestAsync(
|
||||
PermissionType permissionType, Guid organizationId, Guid userId, Guid serviceAccountId)
|
||||
{
|
||||
if (permissionType == PermissionType.RunAsUserWithPermission)
|
||||
{
|
||||
var (email, newOrgUser) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
|
||||
await LoginAsync(email);
|
||||
var accessPolicies = new List<BaseAccessPolicy>
|
||||
{
|
||||
new UserServiceAccountAccessPolicy
|
||||
{
|
||||
GrantedServiceAccountId = serviceAccountId,
|
||||
OrganizationUserId = newOrgUser.Id,
|
||||
Read = true,
|
||||
Write = true,
|
||||
},
|
||||
};
|
||||
await _accessPolicyRepository.CreateManyAsync(accessPolicies);
|
||||
}
|
||||
|
||||
return new AccessPoliciesCreateRequest
|
||||
{
|
||||
UserAccessPolicyRequests = new List<AccessPolicyRequest>
|
||||
{
|
||||
new() { GranteeId = userId, Read = true, Write = true },
|
||||
},
|
||||
};
|
||||
}
|
||||
|
||||
private class RequestSetupData
|
||||
{
|
||||
public Guid ProjectId { get; set; }
|
||||
|
@ -1,4 +1,5 @@
|
||||
using Bit.Api.SecretsManager.Controllers;
|
||||
using System.Security.Claims;
|
||||
using Bit.Api.SecretsManager.Controllers;
|
||||
using Bit.Api.SecretsManager.Models.Request;
|
||||
using Bit.Api.Test.SecretsManager.Enums;
|
||||
using Bit.Core.Context;
|
||||
@ -14,6 +15,7 @@ using Bit.Core.Test.SecretsManager.AutoFixture.ProjectsFixture;
|
||||
using Bit.Test.Common.AutoFixture;
|
||||
using Bit.Test.Common.AutoFixture.Attributes;
|
||||
using Bit.Test.Common.Helpers;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
using NSubstitute;
|
||||
using NSubstitute.ReturnsExtensions;
|
||||
using Xunit;
|
||||
@ -383,9 +385,7 @@ public class AccessPoliciesControllerTests
|
||||
AccessPoliciesCreateRequest request)
|
||||
{
|
||||
sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(default).ReturnsForAnyArgs(mockProject);
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(default).ReturnsForAnyArgs(true);
|
||||
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
|
||||
sutProvider.GetDependency<ICreateAccessPoliciesCommand>().CreateManyAsync(default, default, default)
|
||||
sutProvider.GetDependency<ICreateAccessPoliciesCommand>().CreateManyAsync(default)
|
||||
.ReturnsForAnyArgs(new List<BaseAccessPolicy> { data });
|
||||
|
||||
request = AddRequestsOverMax(request);
|
||||
@ -394,7 +394,72 @@ public class AccessPoliciesControllerTests
|
||||
sutProvider.Sut.CreateProjectAccessPoliciesAsync(id, request));
|
||||
|
||||
await sutProvider.GetDependency<ICreateAccessPoliciesCommand>().DidNotReceiveWithAnyArgs()
|
||||
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>(), Arg.Any<Guid>(), Arg.Any<AccessClientType>());
|
||||
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>());
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async void CreateProjectAccessPolicies_ProjectDoesNotExist_Throws(
|
||||
SutProvider<AccessPoliciesController> sutProvider,
|
||||
Guid id,
|
||||
AccessPoliciesCreateRequest request)
|
||||
{
|
||||
await Assert.ThrowsAsync<NotFoundException>(() =>
|
||||
sutProvider.Sut.CreateProjectAccessPoliciesAsync(id, request));
|
||||
|
||||
await sutProvider.GetDependency<ICreateAccessPoliciesCommand>().DidNotReceiveWithAnyArgs()
|
||||
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>());
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async void CreateProjectAccessPolicies_DuplicatePolicy_Throws(
|
||||
SutProvider<AccessPoliciesController> sutProvider,
|
||||
Guid id,
|
||||
Project mockProject,
|
||||
UserProjectAccessPolicy data,
|
||||
AccessPoliciesCreateRequest request)
|
||||
{
|
||||
var dup = new AccessPolicyRequest() { GranteeId = Guid.NewGuid(), Read = true, Write = true };
|
||||
request.UserAccessPolicyRequests = new[] { dup, dup };
|
||||
mockProject.Id = id;
|
||||
sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(default).ReturnsForAnyArgs(mockProject);
|
||||
sutProvider.GetDependency<ICreateAccessPoliciesCommand>().CreateManyAsync(default)
|
||||
.ReturnsForAnyArgs(new List<BaseAccessPolicy> { data });
|
||||
|
||||
await Assert.ThrowsAsync<BadRequestException>(() =>
|
||||
sutProvider.Sut.CreateProjectAccessPoliciesAsync(id, request));
|
||||
|
||||
await sutProvider.GetDependency<ICreateAccessPoliciesCommand>().DidNotReceiveWithAnyArgs()
|
||||
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>());
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async void CreateProjectAccessPolicies_NoAccess_Throws(
|
||||
SutProvider<AccessPoliciesController> sutProvider,
|
||||
Guid id,
|
||||
Project mockProject,
|
||||
UserProjectAccessPolicy data,
|
||||
AccessPoliciesCreateRequest request)
|
||||
{
|
||||
mockProject.Id = id;
|
||||
sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(default).ReturnsForAnyArgs(mockProject);
|
||||
var policies = request.ToBaseAccessPoliciesForProject(id, mockProject.OrganizationId);
|
||||
foreach (var policy in policies)
|
||||
{
|
||||
sutProvider.GetDependency<IAuthorizationService>()
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), policy,
|
||||
Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Failed());
|
||||
}
|
||||
sutProvider.GetDependency<ICreateAccessPoliciesCommand>().CreateManyAsync(default)
|
||||
.ReturnsForAnyArgs(new List<BaseAccessPolicy> { data });
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(() =>
|
||||
sutProvider.Sut.CreateProjectAccessPoliciesAsync(id, request));
|
||||
|
||||
await sutProvider.GetDependency<ICreateAccessPoliciesCommand>().DidNotReceiveWithAnyArgs()
|
||||
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>());
|
||||
}
|
||||
|
||||
[Theory]
|
||||
@ -406,16 +471,22 @@ public class AccessPoliciesControllerTests
|
||||
UserProjectAccessPolicy data,
|
||||
AccessPoliciesCreateRequest request)
|
||||
{
|
||||
mockProject.Id = id;
|
||||
sutProvider.GetDependency<IProjectRepository>().GetByIdAsync(default).ReturnsForAnyArgs(mockProject);
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(default).ReturnsForAnyArgs(true);
|
||||
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
|
||||
sutProvider.GetDependency<ICreateAccessPoliciesCommand>().CreateManyAsync(default, default, default)
|
||||
var policies = request.ToBaseAccessPoliciesForProject(id, mockProject.OrganizationId);
|
||||
foreach (var policy in policies)
|
||||
{
|
||||
sutProvider.GetDependency<IAuthorizationService>()
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), policy,
|
||||
Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Success());
|
||||
}
|
||||
sutProvider.GetDependency<ICreateAccessPoliciesCommand>().CreateManyAsync(default)
|
||||
.ReturnsForAnyArgs(new List<BaseAccessPolicy> { data });
|
||||
|
||||
await sutProvider.Sut.CreateProjectAccessPoliciesAsync(id, request);
|
||||
|
||||
await sutProvider.GetDependency<ICreateAccessPoliciesCommand>().Received(1)
|
||||
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>(), Arg.Any<Guid>(), Arg.Any<AccessClientType>());
|
||||
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>());
|
||||
}
|
||||
|
||||
[Theory]
|
||||
@ -428,10 +499,8 @@ public class AccessPoliciesControllerTests
|
||||
AccessPoliciesCreateRequest request)
|
||||
{
|
||||
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(default).ReturnsForAnyArgs(serviceAccount);
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(default).ReturnsForAnyArgs(true);
|
||||
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
|
||||
sutProvider.GetDependency<ICreateAccessPoliciesCommand>()
|
||||
.CreateManyAsync(default, default, default)
|
||||
.CreateManyAsync(default)
|
||||
.ReturnsForAnyArgs(new List<BaseAccessPolicy> { data });
|
||||
|
||||
request = AddRequestsOverMax(request);
|
||||
@ -440,7 +509,74 @@ public class AccessPoliciesControllerTests
|
||||
sutProvider.Sut.CreateServiceAccountAccessPoliciesAsync(id, request));
|
||||
|
||||
await sutProvider.GetDependency<ICreateAccessPoliciesCommand>().DidNotReceiveWithAnyArgs()
|
||||
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>(), Arg.Any<Guid>(), Arg.Any<AccessClientType>());
|
||||
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>());
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async void CreateServiceAccountAccessPolicies_ServiceAccountDoesNotExist_Throws(
|
||||
SutProvider<AccessPoliciesController> sutProvider,
|
||||
Guid id,
|
||||
AccessPoliciesCreateRequest request)
|
||||
{
|
||||
await Assert.ThrowsAsync<NotFoundException>(() =>
|
||||
sutProvider.Sut.CreateServiceAccountAccessPoliciesAsync(id, request));
|
||||
|
||||
await sutProvider.GetDependency<ICreateAccessPoliciesCommand>().DidNotReceiveWithAnyArgs()
|
||||
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>());
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async void CreateServiceAccountAccessPolicies_DuplicatePolicy_Throws(
|
||||
SutProvider<AccessPoliciesController> sutProvider,
|
||||
Guid id,
|
||||
ServiceAccount serviceAccount,
|
||||
UserServiceAccountAccessPolicy data,
|
||||
AccessPoliciesCreateRequest request)
|
||||
{
|
||||
var dup = new AccessPolicyRequest() { GranteeId = Guid.NewGuid(), Read = true, Write = true };
|
||||
request.UserAccessPolicyRequests = new[] { dup, dup };
|
||||
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(default).ReturnsForAnyArgs(serviceAccount);
|
||||
|
||||
sutProvider.GetDependency<ICreateAccessPoliciesCommand>()
|
||||
.CreateManyAsync(default)
|
||||
.ReturnsForAnyArgs(new List<BaseAccessPolicy> { data });
|
||||
|
||||
await Assert.ThrowsAsync<BadRequestException>(() =>
|
||||
sutProvider.Sut.CreateServiceAccountAccessPoliciesAsync(id, request));
|
||||
|
||||
await sutProvider.GetDependency<ICreateAccessPoliciesCommand>().DidNotReceiveWithAnyArgs()
|
||||
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>());
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async void CreateServiceAccountAccessPolicies_NoAccess_Throws(
|
||||
SutProvider<AccessPoliciesController> sutProvider,
|
||||
Guid id,
|
||||
ServiceAccount serviceAccount,
|
||||
UserServiceAccountAccessPolicy data,
|
||||
AccessPoliciesCreateRequest request)
|
||||
{
|
||||
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(default).ReturnsForAnyArgs(serviceAccount);
|
||||
var policies = request.ToBaseAccessPoliciesForServiceAccount(id, serviceAccount.OrganizationId);
|
||||
foreach (var policy in policies)
|
||||
{
|
||||
sutProvider.GetDependency<IAuthorizationService>()
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), policy,
|
||||
Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Failed());
|
||||
}
|
||||
|
||||
sutProvider.GetDependency<ICreateAccessPoliciesCommand>()
|
||||
.CreateManyAsync(default)
|
||||
.ReturnsForAnyArgs(new List<BaseAccessPolicy> { data });
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(() =>
|
||||
sutProvider.Sut.CreateServiceAccountAccessPoliciesAsync(id, request));
|
||||
|
||||
await sutProvider.GetDependency<ICreateAccessPoliciesCommand>().DidNotReceiveWithAnyArgs()
|
||||
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>());
|
||||
}
|
||||
|
||||
[Theory]
|
||||
@ -453,16 +589,22 @@ public class AccessPoliciesControllerTests
|
||||
AccessPoliciesCreateRequest request)
|
||||
{
|
||||
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(default).ReturnsForAnyArgs(serviceAccount);
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(default).ReturnsForAnyArgs(true);
|
||||
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
|
||||
var policies = request.ToBaseAccessPoliciesForServiceAccount(id, serviceAccount.OrganizationId);
|
||||
foreach (var policy in policies)
|
||||
{
|
||||
sutProvider.GetDependency<IAuthorizationService>()
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), policy,
|
||||
Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Success());
|
||||
}
|
||||
|
||||
sutProvider.GetDependency<ICreateAccessPoliciesCommand>()
|
||||
.CreateManyAsync(default, default, default)
|
||||
.CreateManyAsync(default)
|
||||
.ReturnsForAnyArgs(new List<BaseAccessPolicy> { data });
|
||||
|
||||
await sutProvider.Sut.CreateServiceAccountAccessPoliciesAsync(id, request);
|
||||
|
||||
await sutProvider.GetDependency<ICreateAccessPoliciesCommand>().Received(1)
|
||||
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>(), Arg.Any<Guid>(), Arg.Any<AccessClientType>());
|
||||
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>());
|
||||
}
|
||||
|
||||
[Theory]
|
||||
@ -475,10 +617,8 @@ public class AccessPoliciesControllerTests
|
||||
List<GrantedAccessPolicyRequest> request)
|
||||
{
|
||||
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(default).ReturnsForAnyArgs(serviceAccount);
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(default).ReturnsForAnyArgs(true);
|
||||
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
|
||||
sutProvider.GetDependency<ICreateAccessPoliciesCommand>()
|
||||
.CreateManyAsync(default, default, default)
|
||||
.CreateManyAsync(default)
|
||||
.ReturnsForAnyArgs(new List<BaseAccessPolicy> { data });
|
||||
|
||||
request = AddRequestsOverMax(request);
|
||||
@ -487,7 +627,73 @@ public class AccessPoliciesControllerTests
|
||||
sutProvider.Sut.CreateServiceAccountGrantedPoliciesAsync(id, request));
|
||||
|
||||
await sutProvider.GetDependency<ICreateAccessPoliciesCommand>().DidNotReceiveWithAnyArgs()
|
||||
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>(), Arg.Any<Guid>(), Arg.Any<AccessClientType>());
|
||||
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>());
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async void CreateServiceAccountGrantedPolicies_ServiceAccountDoesNotExist_Throws(
|
||||
SutProvider<AccessPoliciesController> sutProvider,
|
||||
Guid id,
|
||||
List<GrantedAccessPolicyRequest> request)
|
||||
{
|
||||
await Assert.ThrowsAsync<NotFoundException>(() =>
|
||||
sutProvider.Sut.CreateServiceAccountGrantedPoliciesAsync(id, request));
|
||||
|
||||
await sutProvider.GetDependency<ICreateAccessPoliciesCommand>().DidNotReceiveWithAnyArgs()
|
||||
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>());
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async void CreateServiceAccountGrantedPolicies_DuplicatePolicy_Throws(
|
||||
SutProvider<AccessPoliciesController> sutProvider,
|
||||
Guid id,
|
||||
ServiceAccount serviceAccount,
|
||||
ServiceAccountProjectAccessPolicy data,
|
||||
List<GrantedAccessPolicyRequest> request)
|
||||
{
|
||||
var dup = new GrantedAccessPolicyRequest() { GrantedId = Guid.NewGuid(), Read = true, Write = true };
|
||||
request.Add(dup);
|
||||
request.Add(dup);
|
||||
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(default).ReturnsForAnyArgs(serviceAccount);
|
||||
|
||||
sutProvider.GetDependency<ICreateAccessPoliciesCommand>()
|
||||
.CreateManyAsync(default)
|
||||
.ReturnsForAnyArgs(new List<BaseAccessPolicy> { data });
|
||||
|
||||
await Assert.ThrowsAsync<BadRequestException>(() =>
|
||||
sutProvider.Sut.CreateServiceAccountGrantedPoliciesAsync(id, request));
|
||||
|
||||
await sutProvider.GetDependency<ICreateAccessPoliciesCommand>().DidNotReceiveWithAnyArgs()
|
||||
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>());
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async void CreateServiceAccountGrantedPolicies_NoAccess_Throws(
|
||||
SutProvider<AccessPoliciesController> sutProvider,
|
||||
Guid id,
|
||||
ServiceAccount serviceAccount,
|
||||
ServiceAccountProjectAccessPolicy data,
|
||||
List<GrantedAccessPolicyRequest> request)
|
||||
{
|
||||
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(default).ReturnsForAnyArgs(serviceAccount);
|
||||
sutProvider.GetDependency<ICreateAccessPoliciesCommand>()
|
||||
.CreateManyAsync(default)
|
||||
.ReturnsForAnyArgs(new List<BaseAccessPolicy> { data });
|
||||
foreach (var policy in request)
|
||||
{
|
||||
sutProvider.GetDependency<IAuthorizationService>()
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), policy,
|
||||
Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Failed());
|
||||
}
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(() =>
|
||||
sutProvider.Sut.CreateServiceAccountGrantedPoliciesAsync(id, request));
|
||||
|
||||
await sutProvider.GetDependency<ICreateAccessPoliciesCommand>().DidNotReceiveWithAnyArgs()
|
||||
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>());
|
||||
}
|
||||
|
||||
[Theory]
|
||||
@ -500,16 +706,42 @@ public class AccessPoliciesControllerTests
|
||||
List<GrantedAccessPolicyRequest> request)
|
||||
{
|
||||
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(default).ReturnsForAnyArgs(serviceAccount);
|
||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(default).ReturnsForAnyArgs(true);
|
||||
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
|
||||
sutProvider.GetDependency<ICreateAccessPoliciesCommand>()
|
||||
.CreateManyAsync(default, default, default)
|
||||
.CreateManyAsync(default)
|
||||
.ReturnsForAnyArgs(new List<BaseAccessPolicy> { data });
|
||||
foreach (var policy in request)
|
||||
{
|
||||
sutProvider.GetDependency<IAuthorizationService>()
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), policy,
|
||||
Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Success());
|
||||
}
|
||||
|
||||
await sutProvider.Sut.CreateServiceAccountGrantedPoliciesAsync(id, request);
|
||||
|
||||
await sutProvider.GetDependency<ICreateAccessPoliciesCommand>().Received(1)
|
||||
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>(), Arg.Any<Guid>(), Arg.Any<AccessClientType>());
|
||||
.CreateManyAsync(Arg.Any<List<BaseAccessPolicy>>());
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async void UpdateAccessPolicies_NoAccess_Throws(
|
||||
SutProvider<AccessPoliciesController> sutProvider,
|
||||
Guid id,
|
||||
UserProjectAccessPolicy data,
|
||||
AccessPolicyUpdateRequest request)
|
||||
{
|
||||
sutProvider.GetDependency<IAuthorizationService>()
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), data,
|
||||
Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Failed());
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(id).Returns(data);
|
||||
sutProvider.GetDependency<IUpdateAccessPolicyCommand>().UpdateAsync(default, default, default)
|
||||
.ReturnsForAnyArgs(data);
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(() =>
|
||||
sutProvider.Sut.UpdateAccessPolicyAsync(id, request));
|
||||
|
||||
await sutProvider.GetDependency<IUpdateAccessPolicyCommand>().DidNotReceiveWithAnyArgs()
|
||||
.UpdateAsync(Arg.Any<Guid>(), Arg.Is(request.Read), Arg.Is(request.Write));
|
||||
}
|
||||
|
||||
[Theory]
|
||||
@ -520,27 +752,48 @@ public class AccessPoliciesControllerTests
|
||||
UserProjectAccessPolicy data,
|
||||
AccessPolicyUpdateRequest request)
|
||||
{
|
||||
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
|
||||
sutProvider.GetDependency<IUpdateAccessPolicyCommand>().UpdateAsync(default, default, default, default)
|
||||
sutProvider.GetDependency<IAuthorizationService>()
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), data,
|
||||
Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Success());
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(id).Returns(data);
|
||||
sutProvider.GetDependency<IUpdateAccessPolicyCommand>().UpdateAsync(default, default, default)
|
||||
.ReturnsForAnyArgs(data);
|
||||
|
||||
await sutProvider.Sut.UpdateAccessPolicyAsync(id, request);
|
||||
|
||||
await sutProvider.GetDependency<IUpdateAccessPolicyCommand>().Received(1)
|
||||
.UpdateAsync(Arg.Any<Guid>(), Arg.Is(request.Read), Arg.Is(request.Write), Arg.Any<Guid>());
|
||||
.UpdateAsync(Arg.Any<Guid>(), Arg.Is(request.Read), Arg.Is(request.Write));
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async void DeleteAccessPolicies_NoAccess_Throws(SutProvider<AccessPoliciesController> sutProvider, Guid id)
|
||||
{
|
||||
sutProvider.GetDependency<IAuthorizationService>()
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), new UserProjectAccessPolicy(),
|
||||
Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Failed());
|
||||
sutProvider.GetDependency<IDeleteAccessPolicyCommand>().DeleteAsync(default).ReturnsNull();
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(() =>
|
||||
sutProvider.Sut.DeleteAccessPolicyAsync(id));
|
||||
|
||||
await sutProvider.GetDependency<IDeleteAccessPolicyCommand>().DidNotReceiveWithAnyArgs()
|
||||
.DeleteAsync(Arg.Any<Guid>());
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async void DeleteAccessPolicies_Success(SutProvider<AccessPoliciesController> sutProvider, Guid id)
|
||||
{
|
||||
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
|
||||
sutProvider.GetDependency<IDeleteAccessPolicyCommand>().DeleteAsync(default, default).ReturnsNull();
|
||||
sutProvider.GetDependency<IAuthorizationService>()
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), new UserProjectAccessPolicy(),
|
||||
Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Success());
|
||||
sutProvider.GetDependency<IDeleteAccessPolicyCommand>().DeleteAsync(default).ReturnsNull();
|
||||
|
||||
await sutProvider.Sut.DeleteAccessPolicyAsync(id);
|
||||
|
||||
await sutProvider.GetDependency<IDeleteAccessPolicyCommand>().Received(1)
|
||||
.DeleteAsync(Arg.Any<Guid>(), Arg.Any<Guid>());
|
||||
.DeleteAsync(Arg.Any<Guid>());
|
||||
}
|
||||
|
||||
[Theory]
|
||||
|
Loading…
Reference in New Issue
Block a user