From 2c8f23ec9b680ffa1d89c0d59969cea2a07659c2 Mon Sep 17 00:00:00 2001
From: Oscar Hinton <Hinton@users.noreply.github.com>
Date: Tue, 7 Mar 2023 10:13:49 +0100
Subject: [PATCH] [SM-579] Prevent creating secrets not attached to projects
 (#2754)

* Prevent creating secrets not attached to projects, and prevent updating secrets to remove project relation

* Fix test
---
 .../SecretsManager/Commands/Secrets/CreateSecretCommand.cs | 7 ++++++-
 .../SecretsManager/Commands/Secrets/UpdateSecretCommand.cs | 5 +++++
 .../SecretsManager/Controllers/SecretsControllerTest.cs    | 5 ++++-
 3 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/bitwarden_license/src/Commercial.Core/SecretsManager/Commands/Secrets/CreateSecretCommand.cs b/bitwarden_license/src/Commercial.Core/SecretsManager/Commands/Secrets/CreateSecretCommand.cs
index 61558ad22..a41c551ef 100644
--- a/bitwarden_license/src/Commercial.Core/SecretsManager/Commands/Secrets/CreateSecretCommand.cs
+++ b/bitwarden_license/src/Commercial.Core/SecretsManager/Commands/Secrets/CreateSecretCommand.cs
@@ -26,10 +26,15 @@ public class CreateSecretCommand : ICreateSecretCommand
         var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
         var project = secret.Projects?.FirstOrDefault();
 
+        if (project == null)
+        {
+            throw new NotFoundException();
+        }
+
         var hasAccess = accessClient switch
         {
             AccessClientType.NoAccessCheck => true,
-            AccessClientType.User => project != null && await _projectRepository.UserHasWriteAccessToProject(project.Id, userId),
+            AccessClientType.User => await _projectRepository.UserHasWriteAccessToProject(project.Id, userId),
             _ => false,
         };
 
diff --git a/bitwarden_license/src/Commercial.Core/SecretsManager/Commands/Secrets/UpdateSecretCommand.cs b/bitwarden_license/src/Commercial.Core/SecretsManager/Commands/Secrets/UpdateSecretCommand.cs
index 583208adc..c7f6a9c52 100644
--- a/bitwarden_license/src/Commercial.Core/SecretsManager/Commands/Secrets/UpdateSecretCommand.cs
+++ b/bitwarden_license/src/Commercial.Core/SecretsManager/Commands/Secrets/UpdateSecretCommand.cs
@@ -33,6 +33,11 @@ public class UpdateSecretCommand : IUpdateSecretCommand
 
         var project = updatedSecret.Projects?.FirstOrDefault();
 
+        if (secret.Projects != null && secret.Projects.Any() && project == null)
+        {
+            throw new NotFoundException();
+        }
+
         var hasAccess = accessClient switch
         {
             AccessClientType.NoAccessCheck => true,
diff --git a/test/Api.IntegrationTest/SecretsManager/Controllers/SecretsControllerTest.cs b/test/Api.IntegrationTest/SecretsManager/Controllers/SecretsControllerTest.cs
index 83036a41a..8bb74beda 100644
--- a/test/Api.IntegrationTest/SecretsManager/Controllers/SecretsControllerTest.cs
+++ b/test/Api.IntegrationTest/SecretsManager/Controllers/SecretsControllerTest.cs
@@ -148,11 +148,14 @@ public class SecretsControllerTest : IClassFixture<ApiApplicationFactory>, IAsyn
         var (org, _) = await _organizationHelper.Initialize(true, true);
         await LoginAsync(_email);
 
+        var project = await _projectRepository.CreateAsync(new Project { Name = "123" });
+
         var request = new SecretCreateRequestModel
         {
+            ProjectIds = new Guid[] { project.Id },
             Key = _mockEncryptedString,
             Value = _mockEncryptedString,
-            Note = _mockEncryptedString
+            Note = _mockEncryptedString,
         };
 
         var response = await _client.PostAsJsonAsync($"/organizations/{org.Id}/secrets", request);