1
0
mirror of https://github.com/bitwarden/server.git synced 2024-11-28 13:15:12 +01:00

[SM-579] Prevent creating secrets not attached to projects (#2754)

* Prevent creating secrets not attached to projects, and prevent updating secrets to remove project relation

* Fix test
This commit is contained in:
Oscar Hinton 2023-03-07 10:13:49 +01:00 committed by GitHub
parent 14c8edfcb7
commit 2c8f23ec9b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 15 additions and 2 deletions

View File

@ -26,10 +26,15 @@ public class CreateSecretCommand : ICreateSecretCommand
var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin); var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
var project = secret.Projects?.FirstOrDefault(); var project = secret.Projects?.FirstOrDefault();
if (project == null)
{
throw new NotFoundException();
}
var hasAccess = accessClient switch var hasAccess = accessClient switch
{ {
AccessClientType.NoAccessCheck => true, AccessClientType.NoAccessCheck => true,
AccessClientType.User => project != null && await _projectRepository.UserHasWriteAccessToProject(project.Id, userId), AccessClientType.User => await _projectRepository.UserHasWriteAccessToProject(project.Id, userId),
_ => false, _ => false,
}; };

View File

@ -33,6 +33,11 @@ public class UpdateSecretCommand : IUpdateSecretCommand
var project = updatedSecret.Projects?.FirstOrDefault(); var project = updatedSecret.Projects?.FirstOrDefault();
if (secret.Projects != null && secret.Projects.Any() && project == null)
{
throw new NotFoundException();
}
var hasAccess = accessClient switch var hasAccess = accessClient switch
{ {
AccessClientType.NoAccessCheck => true, AccessClientType.NoAccessCheck => true,

View File

@ -148,11 +148,14 @@ public class SecretsControllerTest : IClassFixture<ApiApplicationFactory>, IAsyn
var (org, _) = await _organizationHelper.Initialize(true, true); var (org, _) = await _organizationHelper.Initialize(true, true);
await LoginAsync(_email); await LoginAsync(_email);
var project = await _projectRepository.CreateAsync(new Project { Name = "123" });
var request = new SecretCreateRequestModel var request = new SecretCreateRequestModel
{ {
ProjectIds = new Guid[] { project.Id },
Key = _mockEncryptedString, Key = _mockEncryptedString,
Value = _mockEncryptedString, Value = _mockEncryptedString,
Note = _mockEncryptedString Note = _mockEncryptedString,
}; };
var response = await _client.PostAsJsonAsync($"/organizations/{org.Id}/secrets", request); var response = await _client.PostAsJsonAsync($"/organizations/{org.Id}/secrets", request);