SM-655: Add Authorizations and Tests for the SM Porting Controller (#2802)

* SM-655: Add Authorize attribute for secrets on the SM Porting Controller * SM-655: Add access secrets manager check to SM Import and Export * SM-655: Add tests for export and import endpoints
2024-11-24 12:35:25 +01:00 · 2023-03-15 11:51:01 -04:00 · 2023-03-15 11:51:01 -04:00 · 1dc9aad1f1
commit 1dc9aad1f1
parent 388caa28f8
2 changed files with 83 additions and 2 deletions
--- a/src/Api/SecretsManager/Controllers/SecretsManagerPortingController.cs
+++ b/src/Api/SecretsManager/Controllers/SecretsManagerPortingController.cs
@ -6,11 +6,13 @@ using Bit.Core.Exceptions;
 using Bit.Core.SecretsManager.Commands.Porting.Interfaces;
 using Bit.Core.SecretsManager.Repositories;
 using Bit.Core.Services;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;

 namespace Bit.Api.SecretsManager.Controllers;

 [SecretsManager]
+[Authorize("secrets")]
 public class SecretsManagerPortingController : Controller
 {
    private readonly ISecretRepository _secretRepository;
@ -31,7 +33,7 @@ public class SecretsManagerPortingController : Controller
    [HttpGet("sm/{organizationId}/export")]
    public async Task<SMExportResponseModel> Export([FromRoute] Guid organizationId, [FromRoute] string format = "json")
    {
-        if (!await _currentContext.OrganizationAdmin(organizationId))
+        if (!await _currentContext.OrganizationAdmin(organizationId) || !_currentContext.AccessSecretsManager(organizationId))
        {
            throw new NotFoundException();
        }
@ -51,7 +53,7 @@ public class SecretsManagerPortingController : Controller
    [HttpPost("sm/{organizationId}/import")]
    public async Task Import([FromRoute] Guid organizationId, [FromBody] SMImportRequestModel importRequest)
    {
-        if (!await _currentContext.OrganizationAdmin(organizationId))
+        if (!await _currentContext.OrganizationAdmin(organizationId) || !_currentContext.AccessSecretsManager(organizationId))
        {
            throw new NotFoundException();
        }
--- a/test/Api.IntegrationTest/SecretsManager/Controllers/SecretsManagerPortingControllerTest.cs
+++ b/test/Api.IntegrationTest/SecretsManager/Controllers/SecretsManagerPortingControllerTest.cs
@ -0,0 +1,79 @@
+using System.Net;
+using System.Net.Http.Headers;
+using Bit.Api.IntegrationTest.Factories;
+using Bit.Api.SecretsManager.Models.Request;
+using Bit.Core.SecretsManager.Repositories;
+using Xunit;
+
+namespace Bit.Api.IntegrationTest.SecretsManager.Controllers;
+
+public class SecretsManagerPortingControllerTest : IClassFixture<ApiApplicationFactory>, IAsyncLifetime
+{
+    private readonly string _mockEncryptedString =
+        "2.3Uk+WNBIoU5xzmVFNcoWzz==|1MsPIYuRfdOHfu/0uY6H2Q==|/98sp4wb6pHP1VTZ9JcNCYgQjEUMFPlqJgCwRk1YXKg=";
+
+    private readonly HttpClient _client;
+    private readonly ApiApplicationFactory _factory;
+    private readonly IProjectRepository _projectRepository;
+    private readonly IAccessPolicyRepository _accessPolicyRepository;
+
+    private string _email = null!;
+    private SecretsManagerOrganizationHelper _organizationHelper = null!;
+
+    public SecretsManagerPortingControllerTest(ApiApplicationFactory factory)
+    {
+        _factory = factory;
+        _client = _factory.CreateClient();
+        _projectRepository = _factory.GetService<IProjectRepository>();
+        _accessPolicyRepository = _factory.GetService<IAccessPolicyRepository>();
+    }
+
+    public async Task InitializeAsync()
+    {
+        _email = $"integration-test{Guid.NewGuid()}@bitwarden.com";
+        await _factory.LoginWithNewAccount(_email);
+        _organizationHelper = new SecretsManagerOrganizationHelper(_factory, _email);
+    }
+
+    public Task DisposeAsync()
+    {
+        _client.Dispose();
+        return Task.CompletedTask;
+    }
+
+    private async Task LoginAsync(string email)
+    {
+        var tokens = await _factory.LoginAsync(email);
+        _client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokens.Token);
+    }
+
+    [Theory]
+    [InlineData(false, false)]
+    [InlineData(true, false)]
+    [InlineData(false, true)]
+    public async Task Import_SmNotEnabled_NotFound(bool useSecrets, bool accessSecrets)
+    {
+        var (org, _) = await _organizationHelper.Initialize(useSecrets, accessSecrets);
+        await LoginAsync(_email);
+
+        var projectsList = new List<SMImportRequestModel.InnerProjectImportRequestModel>();
+        var secretsList = new List<SMImportRequestModel.InnerSecretImportRequestModel>();
+        var request = new SMImportRequestModel { Projects = projectsList, Secrets = secretsList };
+
+        var response = await _client.PostAsJsonAsync($"sm/{org.Id}/import", request);
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Theory]
+    [InlineData(false, false)]
+    [InlineData(true, false)]
+    [InlineData(false, true)]
+    public async Task Export_SmNotEnabled_NotFound(bool useSecrets, bool accessSecrets)
+    {
+        var (org, _) = await _organizationHelper.Initialize(useSecrets, accessSecrets);
+        await LoginAsync(_email);
+
+        var response = await _client.GetAsync($"sm/{org.Id}/export");
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+}