[SM-579] Prevent creating secrets not attached to projects (#2754)

* Prevent creating secrets not attached to projects, and prevent updating secrets to remove project relation * Fix test
2024-11-25 12:45:18 +01:00 · 2023-03-07 10:13:49 +01:00 · 2023-03-07 10:13:49 +01:00 · 2c8f23ec9b
commit 2c8f23ec9b
parent 14c8edfcb7
3 changed files with 15 additions and 2 deletions
--- a/bitwarden_license/src/Commercial.Core/SecretsManager/Commands/Secrets/CreateSecretCommand.cs
+++ b/bitwarden_license/src/Commercial.Core/SecretsManager/Commands/Secrets/CreateSecretCommand.cs
@ -26,10 +26,15 @@ public class CreateSecretCommand : ICreateSecretCommand
        var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
        var project = secret.Projects?.FirstOrDefault();

+        if (project == null)
+        {
+            throw new NotFoundException();
+        }
+
        var hasAccess = accessClient switch
        {
            AccessClientType.NoAccessCheck => true,
-            AccessClientType.User => project != null && await _projectRepository.UserHasWriteAccessToProject(project.Id, userId),
+            AccessClientType.User => await _projectRepository.UserHasWriteAccessToProject(project.Id, userId),
            _ => false,
        };

--- a/bitwarden_license/src/Commercial.Core/SecretsManager/Commands/Secrets/UpdateSecretCommand.cs
+++ b/bitwarden_license/src/Commercial.Core/SecretsManager/Commands/Secrets/UpdateSecretCommand.cs
@ -33,6 +33,11 @@ public class UpdateSecretCommand : IUpdateSecretCommand

        var project = updatedSecret.Projects?.FirstOrDefault();

+        if (secret.Projects != null && secret.Projects.Any() && project == null)
+        {
+            throw new NotFoundException();
+        }
+
        var hasAccess = accessClient switch
        {
            AccessClientType.NoAccessCheck => true,
--- a/test/Api.IntegrationTest/SecretsManager/Controllers/SecretsControllerTest.cs
+++ b/test/Api.IntegrationTest/SecretsManager/Controllers/SecretsControllerTest.cs
@ -148,11 +148,14 @@ public class SecretsControllerTest : IClassFixture<ApiApplicationFactory>, IAsyn
        var (org, _) = await _organizationHelper.Initialize(true, true);
        await LoginAsync(_email);

+        var project = await _projectRepository.CreateAsync(new Project { Name = "123" });
+
        var request = new SecretCreateRequestModel
        {
+            ProjectIds = new Guid[] { project.Id },
            Key = _mockEncryptedString,
            Value = _mockEncryptedString,
-            Note = _mockEncryptedString
+            Note = _mockEncryptedString,
        };

        var response = await _client.PostAsJsonAsync($"/organizations/{org.Id}/secrets", request);