mirror of
https://github.com/bitwarden/server.git
synced 2025-02-18 02:11:22 +01:00
[SM-705] Extract Authorization from Access Token Commands (#2928)
* refactor authorization for access token commands * Unit tests for authorization handler
This commit is contained in:
Thomas Avery
GitHub
parent
b7a40406af
commit
3449d28c83
@ -44,6 +44,15 @@ public class
|
|||||||
case not null when requirement == ServiceAccountOperations.Update:
|
case not null when requirement == ServiceAccountOperations.Update:
|
||||||
await CanUpdateServiceAccountAsync(context, requirement, resource);
|
await CanUpdateServiceAccountAsync(context, requirement, resource);
|
||||||
break;
|
break;
|
||||||
|
case not null when requirement == ServiceAccountOperations.CreateAccessToken:
|
||||||
|
await CanCreateAccessTokenAsync(context, requirement, resource);
|
||||||
|
break;
|
||||||
|
case not null when requirement == ServiceAccountOperations.ReadAccessTokens:
|
||||||
|
await CanReadAccessTokensAsync(context, requirement, resource);
|
||||||
|
break;
|
||||||
|
case not null when requirement == ServiceAccountOperations.RevokeAccessTokens:
|
||||||
|
await CanRevokeAccessTokensAsync(context, requirement, resource);
|
||||||
|
break;
|
||||||
default:
|
default:
|
||||||
throw new ArgumentException("Unsupported operation requirement type provided.",
|
throw new ArgumentException("Unsupported operation requirement type provided.",
|
||||||
nameof(requirement));
|
nameof(requirement));
|
||||||
@ -97,4 +106,49 @@ public class
|
|||||||
context.Succeed(requirement);
|
context.Succeed(requirement);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private async Task CanCreateAccessTokenAsync(AuthorizationHandlerContext context,
|
||||||
|
ServiceAccountOperationRequirement requirement, ServiceAccount resource)
|
||||||
|
{
|
||||||
|
var (accessClient, userId) =
|
||||||
|
await _accessClientQuery.GetAccessClientAsync(context.User, resource.OrganizationId);
|
||||||
|
var access =
|
||||||
|
await _serviceAccountRepository.AccessToServiceAccountAsync(resource.Id, userId,
|
||||||
|
accessClient);
|
||||||
|
|
||||||
|
if (access.Write)
|
||||||
|
{
|
||||||
|
context.Succeed(requirement);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private async Task CanReadAccessTokensAsync(AuthorizationHandlerContext context,
|
||||||
|
ServiceAccountOperationRequirement requirement, ServiceAccount resource)
|
||||||
|
{
|
||||||
|
var (accessClient, userId) =
|
||||||
|
await _accessClientQuery.GetAccessClientAsync(context.User, resource.OrganizationId);
|
||||||
|
var access =
|
||||||
|
await _serviceAccountRepository.AccessToServiceAccountAsync(resource.Id, userId,
|
||||||
|
accessClient);
|
||||||
|
|
||||||
|
if (access.Read)
|
||||||
|
{
|
||||||
|
context.Succeed(requirement);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private async Task CanRevokeAccessTokensAsync(AuthorizationHandlerContext context,
|
||||||
|
ServiceAccountOperationRequirement requirement, ServiceAccount resource)
|
||||||
|
{
|
||||||
|
var (accessClient, userId) =
|
||||||
|
await _accessClientQuery.GetAccessClientAsync(context.User, resource.OrganizationId);
|
||||||
|
var access =
|
||||||
|
await _serviceAccountRepository.AccessToServiceAccountAsync(resource.Id, userId,
|
||||||
|
accessClient);
|
||||||
|
|
||||||
|
if (access.Write)
|
||||||
|
{
|
||||||
|
context.Succeed(requirement);
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1,6 +1,4 @@
|
|||||||
using Bit.Core.Context;
|
using Bit.Core.Exceptions;
|
||||||
using Bit.Core.Enums;
|
|
||||||
using Bit.Core.Exceptions;
|
|
||||||
using Bit.Core.SecretsManager.Commands.AccessTokens.Interfaces;
|
using Bit.Core.SecretsManager.Commands.AccessTokens.Interfaces;
|
||||||
using Bit.Core.SecretsManager.Entities;
|
using Bit.Core.SecretsManager.Entities;
|
||||||
using Bit.Core.SecretsManager.Repositories;
|
using Bit.Core.SecretsManager.Repositories;
|
||||||
@ -10,51 +8,21 @@ namespace Bit.Commercial.Core.SecretsManager.Commands.AccessTokens;
|
|||||||
|
|
||||||
public class CreateAccessTokenCommand : ICreateAccessTokenCommand
|
public class CreateAccessTokenCommand : ICreateAccessTokenCommand
|
||||||
{
|
{
|
||||||
|
private const int _clientSecretMaxLength = 30;
|
||||||
private readonly IApiKeyRepository _apiKeyRepository;
|
private readonly IApiKeyRepository _apiKeyRepository;
|
||||||
private readonly int _clientSecretMaxLength = 30;
|
|
||||||
private readonly ICurrentContext _currentContext;
|
|
||||||
private readonly IServiceAccountRepository _serviceAccountRepository;
|
|
||||||
|
|
||||||
public CreateAccessTokenCommand(
|
public CreateAccessTokenCommand(IApiKeyRepository apiKeyRepository)
|
||||||
IApiKeyRepository apiKeyRepository,
|
|
||||||
ICurrentContext currentContext,
|
|
||||||
IServiceAccountRepository serviceAccountRepository)
|
|
||||||
{
|
{
|
||||||
_apiKeyRepository = apiKeyRepository;
|
_apiKeyRepository = apiKeyRepository;
|
||||||
_currentContext = currentContext;
|
|
||||||
_serviceAccountRepository = serviceAccountRepository;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public async Task<ApiKey> CreateAsync(ApiKey apiKey, Guid userId)
|
public async Task<ApiKey> CreateAsync(ApiKey apiKey)
|
||||||
{
|
{
|
||||||
if (apiKey.ServiceAccountId == null)
|
if (apiKey.ServiceAccountId == null)
|
||||||
{
|
{
|
||||||
throw new BadRequestException();
|
throw new BadRequestException();
|
||||||
}
|
}
|
||||||
|
|
||||||
var serviceAccount = await _serviceAccountRepository.GetByIdAsync(apiKey.ServiceAccountId.Value);
|
|
||||||
|
|
||||||
if (!_currentContext.AccessSecretsManager(serviceAccount.OrganizationId))
|
|
||||||
{
|
|
||||||
throw new NotFoundException();
|
|
||||||
}
|
|
||||||
|
|
||||||
var orgAdmin = await _currentContext.OrganizationAdmin(serviceAccount.OrganizationId);
|
|
||||||
var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
|
|
||||||
|
|
||||||
var hasAccess = accessClient switch
|
|
||||||
{
|
|
||||||
AccessClientType.NoAccessCheck => true,
|
|
||||||
AccessClientType.User => await _serviceAccountRepository.UserHasWriteAccessToServiceAccount(
|
|
||||||
apiKey.ServiceAccountId.Value, userId),
|
|
||||||
_ => false,
|
|
||||||
};
|
|
||||||
|
|
||||||
if (!hasAccess)
|
|
||||||
{
|
|
||||||
throw new NotFoundException();
|
|
||||||
}
|
|
||||||
|
|
||||||
apiKey.ClientSecret = CoreHelpers.SecureRandomString(_clientSecretMaxLength);
|
apiKey.ClientSecret = CoreHelpers.SecureRandomString(_clientSecretMaxLength);
|
||||||
return await _apiKeyRepository.CreateAsync(apiKey);
|
return await _apiKeyRepository.CreateAsync(apiKey);
|
||||||
}
|
}
|
||||||
|
|||||||
@ -178,9 +178,13 @@ public class ServiceAccountAuthorizationHandlerTests
|
|||||||
}
|
}
|
||||||
|
|
||||||
[Theory]
|
[Theory]
|
||||||
[BitAutoData(PermissionType.RunAsUserWithPermission, true, false)]
|
[BitAutoData(PermissionType.RunAsAdmin, true, true, true)]
|
||||||
[BitAutoData(PermissionType.RunAsUserWithPermission, false, false)]
|
[BitAutoData(PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||||
public async Task CanUpdateServiceAccount_ShouldNotSucceed(PermissionType permissionType, bool read, bool write,
|
[BitAutoData(PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||||
|
[BitAutoData(PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||||
|
[BitAutoData(PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||||
|
public async Task CanUpdateServiceAccount_AccessCheck(PermissionType permissionType, bool read, bool write,
|
||||||
|
bool expected,
|
||||||
SutProvider<ServiceAccountAuthorizationHandler> sutProvider, ServiceAccount serviceAccount,
|
SutProvider<ServiceAccountAuthorizationHandler> sutProvider, ServiceAccount serviceAccount,
|
||||||
ClaimsPrincipal claimsPrincipal,
|
ClaimsPrincipal claimsPrincipal,
|
||||||
Guid userId)
|
Guid userId)
|
||||||
@ -195,30 +199,7 @@ public class ServiceAccountAuthorizationHandlerTests
|
|||||||
|
|
||||||
await sutProvider.Sut.HandleAsync(authzContext);
|
await sutProvider.Sut.HandleAsync(authzContext);
|
||||||
|
|
||||||
Assert.False(authzContext.HasSucceeded);
|
Assert.Equal(expected, authzContext.HasSucceeded);
|
||||||
}
|
|
||||||
|
|
||||||
[Theory]
|
|
||||||
[BitAutoData(PermissionType.RunAsAdmin, true, true)]
|
|
||||||
[BitAutoData(PermissionType.RunAsAdmin, false, true)]
|
|
||||||
[BitAutoData(PermissionType.RunAsUserWithPermission, true, true)]
|
|
||||||
[BitAutoData(PermissionType.RunAsUserWithPermission, false, true)]
|
|
||||||
public async Task CanUpdateServiceAccount_Success(PermissionType permissionType, bool read, bool write,
|
|
||||||
SutProvider<ServiceAccountAuthorizationHandler> sutProvider, ServiceAccount serviceAccount,
|
|
||||||
ClaimsPrincipal claimsPrincipal,
|
|
||||||
Guid userId)
|
|
||||||
{
|
|
||||||
var requirement = ServiceAccountOperations.Update;
|
|
||||||
SetupPermission(sutProvider, permissionType, serviceAccount.OrganizationId, userId);
|
|
||||||
sutProvider.GetDependency<IServiceAccountRepository>()
|
|
||||||
.AccessToServiceAccountAsync(serviceAccount.Id, userId, Arg.Any<AccessClientType>())
|
|
||||||
.Returns((read, write));
|
|
||||||
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
|
||||||
claimsPrincipal, serviceAccount);
|
|
||||||
|
|
||||||
await sutProvider.Sut.HandleAsync(authzContext);
|
|
||||||
|
|
||||||
Assert.True(authzContext.HasSucceeded);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -257,9 +238,13 @@ public class ServiceAccountAuthorizationHandlerTests
|
|||||||
}
|
}
|
||||||
|
|
||||||
[Theory]
|
[Theory]
|
||||||
[BitAutoData(PermissionType.RunAsUserWithPermission, false, false)]
|
[BitAutoData(PermissionType.RunAsAdmin, true, true, true)]
|
||||||
[BitAutoData(PermissionType.RunAsUserWithPermission, false, true)]
|
[BitAutoData(PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||||
public async Task CanReadServiceAccount_ShouldNotSucceed(PermissionType permissionType, bool read, bool write,
|
[BitAutoData(PermissionType.RunAsUserWithPermission, false, true, false)]
|
||||||
|
[BitAutoData(PermissionType.RunAsUserWithPermission, true, false, true)]
|
||||||
|
[BitAutoData(PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||||
|
public async Task CanReadServiceAccount_AccessCheck(PermissionType permissionType, bool read, bool write,
|
||||||
|
bool expected,
|
||||||
SutProvider<ServiceAccountAuthorizationHandler> sutProvider, ServiceAccount serviceAccount,
|
SutProvider<ServiceAccountAuthorizationHandler> sutProvider, ServiceAccount serviceAccount,
|
||||||
ClaimsPrincipal claimsPrincipal,
|
ClaimsPrincipal claimsPrincipal,
|
||||||
Guid userId)
|
Guid userId)
|
||||||
@ -274,20 +259,56 @@ public class ServiceAccountAuthorizationHandlerTests
|
|||||||
|
|
||||||
await sutProvider.Sut.HandleAsync(authzContext);
|
await sutProvider.Sut.HandleAsync(authzContext);
|
||||||
|
|
||||||
|
Assert.Equal(expected, authzContext.HasSucceeded);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory]
|
||||||
|
[BitAutoData]
|
||||||
|
public async Task CanCreateAccessToken_AccessToSecretsManagerFalse_DoesNotSucceed(
|
||||||
|
SutProvider<ServiceAccountAuthorizationHandler> sutProvider, ServiceAccount serviceAccount,
|
||||||
|
ClaimsPrincipal claimsPrincipal)
|
||||||
|
{
|
||||||
|
var requirement = ServiceAccountOperations.CreateAccessToken;
|
||||||
|
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(serviceAccount.OrganizationId)
|
||||||
|
.Returns(false);
|
||||||
|
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||||
|
claimsPrincipal, serviceAccount);
|
||||||
|
|
||||||
|
await sutProvider.Sut.HandleAsync(authzContext);
|
||||||
|
|
||||||
Assert.False(authzContext.HasSucceeded);
|
Assert.False(authzContext.HasSucceeded);
|
||||||
}
|
}
|
||||||
|
|
||||||
[Theory]
|
[Theory]
|
||||||
[BitAutoData(PermissionType.RunAsAdmin, true, true)]
|
[BitAutoData]
|
||||||
[BitAutoData(PermissionType.RunAsAdmin, true, false)]
|
public async Task CanCreateAccessToken_NullResource_DoesNotSucceed(
|
||||||
[BitAutoData(PermissionType.RunAsUserWithPermission, true, true)]
|
|
||||||
[BitAutoData(PermissionType.RunAsUserWithPermission, true, false)]
|
|
||||||
public async Task CanReadServiceAccount_Success(PermissionType permissionType, bool read, bool write,
|
|
||||||
SutProvider<ServiceAccountAuthorizationHandler> sutProvider, ServiceAccount serviceAccount,
|
SutProvider<ServiceAccountAuthorizationHandler> sutProvider, ServiceAccount serviceAccount,
|
||||||
ClaimsPrincipal claimsPrincipal,
|
ClaimsPrincipal claimsPrincipal,
|
||||||
Guid userId)
|
Guid userId)
|
||||||
{
|
{
|
||||||
var requirement = ServiceAccountOperations.Read;
|
var requirement = ServiceAccountOperations.CreateAccessToken;
|
||||||
|
SetupPermission(sutProvider, PermissionType.RunAsAdmin, serviceAccount.OrganizationId, userId);
|
||||||
|
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||||
|
claimsPrincipal, null);
|
||||||
|
|
||||||
|
await sutProvider.Sut.HandleAsync(authzContext);
|
||||||
|
|
||||||
|
Assert.False(authzContext.HasSucceeded);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory]
|
||||||
|
[BitAutoData(PermissionType.RunAsAdmin, true, true, true)]
|
||||||
|
[BitAutoData(PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||||
|
[BitAutoData(PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||||
|
[BitAutoData(PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||||
|
[BitAutoData(PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||||
|
public async Task CanCreateAccessToken_AccessCheck(PermissionType permissionType, bool read, bool write,
|
||||||
|
bool expected,
|
||||||
|
SutProvider<ServiceAccountAuthorizationHandler> sutProvider, ServiceAccount serviceAccount,
|
||||||
|
ClaimsPrincipal claimsPrincipal,
|
||||||
|
Guid userId)
|
||||||
|
{
|
||||||
|
var requirement = ServiceAccountOperations.CreateAccessToken;
|
||||||
SetupPermission(sutProvider, permissionType, serviceAccount.OrganizationId, userId);
|
SetupPermission(sutProvider, permissionType, serviceAccount.OrganizationId, userId);
|
||||||
sutProvider.GetDependency<IServiceAccountRepository>()
|
sutProvider.GetDependency<IServiceAccountRepository>()
|
||||||
.AccessToServiceAccountAsync(serviceAccount.Id, userId, Arg.Any<AccessClientType>())
|
.AccessToServiceAccountAsync(serviceAccount.Id, userId, Arg.Any<AccessClientType>())
|
||||||
@ -297,6 +318,124 @@ public class ServiceAccountAuthorizationHandlerTests
|
|||||||
|
|
||||||
await sutProvider.Sut.HandleAsync(authzContext);
|
await sutProvider.Sut.HandleAsync(authzContext);
|
||||||
|
|
||||||
Assert.True(authzContext.HasSucceeded);
|
Assert.Equal(expected, authzContext.HasSucceeded);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory]
|
||||||
|
[BitAutoData]
|
||||||
|
public async Task CanReadAccessTokens_AccessToSecretsManagerFalse_DoesNotSucceed(
|
||||||
|
SutProvider<ServiceAccountAuthorizationHandler> sutProvider, ServiceAccount serviceAccount,
|
||||||
|
ClaimsPrincipal claimsPrincipal)
|
||||||
|
{
|
||||||
|
var requirement = ServiceAccountOperations.ReadAccessTokens;
|
||||||
|
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(serviceAccount.OrganizationId)
|
||||||
|
.Returns(false);
|
||||||
|
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||||
|
claimsPrincipal, serviceAccount);
|
||||||
|
|
||||||
|
await sutProvider.Sut.HandleAsync(authzContext);
|
||||||
|
|
||||||
|
Assert.False(authzContext.HasSucceeded);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory]
|
||||||
|
[BitAutoData]
|
||||||
|
public async Task CanReadAccessTokens_NullResource_DoesNotSucceed(
|
||||||
|
SutProvider<ServiceAccountAuthorizationHandler> sutProvider, ServiceAccount serviceAccount,
|
||||||
|
ClaimsPrincipal claimsPrincipal,
|
||||||
|
Guid userId)
|
||||||
|
{
|
||||||
|
var requirement = ServiceAccountOperations.ReadAccessTokens;
|
||||||
|
SetupPermission(sutProvider, PermissionType.RunAsAdmin, serviceAccount.OrganizationId, userId);
|
||||||
|
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||||
|
claimsPrincipal, null);
|
||||||
|
|
||||||
|
await sutProvider.Sut.HandleAsync(authzContext);
|
||||||
|
|
||||||
|
Assert.False(authzContext.HasSucceeded);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory]
|
||||||
|
[BitAutoData(PermissionType.RunAsAdmin, true, true, true)]
|
||||||
|
[BitAutoData(PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||||
|
[BitAutoData(PermissionType.RunAsUserWithPermission, false, true, false)]
|
||||||
|
[BitAutoData(PermissionType.RunAsUserWithPermission, true, false, true)]
|
||||||
|
[BitAutoData(PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||||
|
public async Task CanReadAccessTokens_AccessCheck(PermissionType permissionType, bool read, bool write,
|
||||||
|
bool expected,
|
||||||
|
SutProvider<ServiceAccountAuthorizationHandler> sutProvider, ServiceAccount serviceAccount,
|
||||||
|
ClaimsPrincipal claimsPrincipal,
|
||||||
|
Guid userId)
|
||||||
|
{
|
||||||
|
var requirement = ServiceAccountOperations.ReadAccessTokens;
|
||||||
|
SetupPermission(sutProvider, permissionType, serviceAccount.OrganizationId, userId);
|
||||||
|
sutProvider.GetDependency<IServiceAccountRepository>()
|
||||||
|
.AccessToServiceAccountAsync(serviceAccount.Id, userId, Arg.Any<AccessClientType>())
|
||||||
|
.Returns((read, write));
|
||||||
|
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||||
|
claimsPrincipal, serviceAccount);
|
||||||
|
|
||||||
|
await sutProvider.Sut.HandleAsync(authzContext);
|
||||||
|
|
||||||
|
Assert.Equal(expected, authzContext.HasSucceeded);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory]
|
||||||
|
[BitAutoData]
|
||||||
|
public async Task CanRevokeAccessTokens_AccessToSecretsManagerFalse_DoesNotSucceed(
|
||||||
|
SutProvider<ServiceAccountAuthorizationHandler> sutProvider, ServiceAccount serviceAccount,
|
||||||
|
ClaimsPrincipal claimsPrincipal)
|
||||||
|
{
|
||||||
|
var requirement = ServiceAccountOperations.RevokeAccessTokens;
|
||||||
|
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(serviceAccount.OrganizationId)
|
||||||
|
.Returns(false);
|
||||||
|
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||||
|
claimsPrincipal, serviceAccount);
|
||||||
|
|
||||||
|
await sutProvider.Sut.HandleAsync(authzContext);
|
||||||
|
|
||||||
|
Assert.False(authzContext.HasSucceeded);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory]
|
||||||
|
[BitAutoData]
|
||||||
|
public async Task CanRevokeAccessTokens_NullResource_DoesNotSucceed(
|
||||||
|
SutProvider<ServiceAccountAuthorizationHandler> sutProvider, ServiceAccount serviceAccount,
|
||||||
|
ClaimsPrincipal claimsPrincipal,
|
||||||
|
Guid userId)
|
||||||
|
{
|
||||||
|
var requirement = ServiceAccountOperations.RevokeAccessTokens;
|
||||||
|
SetupPermission(sutProvider, PermissionType.RunAsAdmin, serviceAccount.OrganizationId, userId);
|
||||||
|
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||||
|
claimsPrincipal, null);
|
||||||
|
|
||||||
|
await sutProvider.Sut.HandleAsync(authzContext);
|
||||||
|
|
||||||
|
Assert.False(authzContext.HasSucceeded);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory]
|
||||||
|
[BitAutoData(PermissionType.RunAsAdmin, true, true, true)]
|
||||||
|
[BitAutoData(PermissionType.RunAsUserWithPermission, false, false, false)]
|
||||||
|
[BitAutoData(PermissionType.RunAsUserWithPermission, false, true, true)]
|
||||||
|
[BitAutoData(PermissionType.RunAsUserWithPermission, true, false, false)]
|
||||||
|
[BitAutoData(PermissionType.RunAsUserWithPermission, true, true, true)]
|
||||||
|
public async Task CanRevokeAccessTokens_AccessCheck(PermissionType permissionType, bool read, bool write,
|
||||||
|
bool expected,
|
||||||
|
SutProvider<ServiceAccountAuthorizationHandler> sutProvider, ServiceAccount serviceAccount,
|
||||||
|
ClaimsPrincipal claimsPrincipal,
|
||||||
|
Guid userId)
|
||||||
|
{
|
||||||
|
var requirement = ServiceAccountOperations.RevokeAccessTokens;
|
||||||
|
SetupPermission(sutProvider, permissionType, serviceAccount.OrganizationId, userId);
|
||||||
|
sutProvider.GetDependency<IServiceAccountRepository>()
|
||||||
|
.AccessToServiceAccountAsync(serviceAccount.Id, userId, Arg.Any<AccessClientType>())
|
||||||
|
.Returns((read, write));
|
||||||
|
var authzContext = new AuthorizationHandlerContext(new List<IAuthorizationRequirement> { requirement },
|
||||||
|
claimsPrincipal, serviceAccount);
|
||||||
|
|
||||||
|
await sutProvider.Sut.HandleAsync(authzContext);
|
||||||
|
|
||||||
|
Assert.Equal(expected, authzContext.HasSucceeded);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1,5 +1,4 @@
|
|||||||
using Bit.Commercial.Core.SecretsManager.Commands.AccessTokens;
|
using Bit.Commercial.Core.SecretsManager.Commands.AccessTokens;
|
||||||
using Bit.Core.Context;
|
|
||||||
using Bit.Core.Exceptions;
|
using Bit.Core.Exceptions;
|
||||||
using Bit.Core.SecretsManager.Entities;
|
using Bit.Core.SecretsManager.Entities;
|
||||||
using Bit.Core.SecretsManager.Repositories;
|
using Bit.Core.SecretsManager.Repositories;
|
||||||
@ -16,59 +15,21 @@ public class CreateServiceAccountCommandTests
|
|||||||
{
|
{
|
||||||
[Theory]
|
[Theory]
|
||||||
[BitAutoData]
|
[BitAutoData]
|
||||||
public async Task CreateAsync_NoServiceAccountId_ThrowsBadRequestException(ApiKey data, Guid userId,
|
public async Task CreateAsync_NoServiceAccountId_ThrowsBadRequestException(
|
||||||
SutProvider<CreateAccessTokenCommand> sutProvider)
|
SutProvider<CreateAccessTokenCommand> sutProvider, ApiKey data)
|
||||||
{
|
{
|
||||||
data.ServiceAccountId = null;
|
data.ServiceAccountId = null;
|
||||||
|
|
||||||
await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.CreateAsync(data, userId));
|
await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.CreateAsync(data));
|
||||||
|
|
||||||
await sutProvider.GetDependency<IApiKeyRepository>().DidNotReceiveWithAnyArgs().CreateAsync(default);
|
await sutProvider.GetDependency<IApiKeyRepository>().DidNotReceiveWithAnyArgs().CreateAsync(default);
|
||||||
}
|
}
|
||||||
|
|
||||||
[Theory]
|
[Theory]
|
||||||
[BitAutoData]
|
[BitAutoData]
|
||||||
public async Task CreateAsync_User_NoAccess(ApiKey data, Guid userId, ServiceAccount saData,
|
public async Task CreateAsync_Success(SutProvider<CreateAccessTokenCommand> sutProvider, ApiKey data)
|
||||||
SutProvider<CreateAccessTokenCommand> sutProvider)
|
|
||||||
{
|
{
|
||||||
data.ServiceAccountId = saData.Id;
|
await sutProvider.Sut.CreateAsync(data);
|
||||||
|
|
||||||
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(saData.Id).Returns(saData);
|
|
||||||
sutProvider.GetDependency<IServiceAccountRepository>().UserHasWriteAccessToServiceAccount(saData.Id, userId).Returns(false);
|
|
||||||
|
|
||||||
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.CreateAsync(data, userId));
|
|
||||||
|
|
||||||
await sutProvider.GetDependency<IApiKeyRepository>().DidNotReceiveWithAnyArgs().CreateAsync(default);
|
|
||||||
}
|
|
||||||
|
|
||||||
[Theory]
|
|
||||||
[BitAutoData]
|
|
||||||
public async Task CreateAsync_User_Success(ApiKey data, Guid userId, ServiceAccount saData,
|
|
||||||
SutProvider<CreateAccessTokenCommand> sutProvider)
|
|
||||||
{
|
|
||||||
data.ServiceAccountId = saData.Id;
|
|
||||||
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(saData.Id).Returns(saData);
|
|
||||||
sutProvider.GetDependency<IServiceAccountRepository>().UserHasWriteAccessToServiceAccount(saData.Id, userId).Returns(true);
|
|
||||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(saData.OrganizationId).Returns(true);
|
|
||||||
|
|
||||||
await sutProvider.Sut.CreateAsync(data, userId);
|
|
||||||
|
|
||||||
await sutProvider.GetDependency<IApiKeyRepository>().Received(1)
|
|
||||||
.CreateAsync(Arg.Is(AssertHelper.AssertPropertyEqual(data)));
|
|
||||||
}
|
|
||||||
|
|
||||||
[Theory]
|
|
||||||
[BitAutoData]
|
|
||||||
public async Task CreateAsync_Admin_Succeeds(ApiKey data, Guid userId, ServiceAccount saData,
|
|
||||||
SutProvider<CreateAccessTokenCommand> sutProvider)
|
|
||||||
{
|
|
||||||
data.ServiceAccountId = saData.Id;
|
|
||||||
|
|
||||||
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(saData.Id).Returns(saData);
|
|
||||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(saData.OrganizationId).Returns(true);
|
|
||||||
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(saData.OrganizationId).Returns(true);
|
|
||||||
|
|
||||||
await sutProvider.Sut.CreateAsync(data, userId);
|
|
||||||
|
|
||||||
await sutProvider.GetDependency<IApiKeyRepository>().Received(1)
|
await sutProvider.GetDependency<IApiKeyRepository>().Received(1)
|
||||||
.CreateAsync(Arg.Is(AssertHelper.AssertPropertyEqual(data)));
|
.CreateAsync(Arg.Is(AssertHelper.AssertPropertyEqual(data)));
|
||||||
|
|||||||
@ -140,28 +140,12 @@ public class ServiceAccountsController : Controller
|
|||||||
[HttpGet("{id}/access-tokens")]
|
[HttpGet("{id}/access-tokens")]
|
||||||
public async Task<ListResponseModel<AccessTokenResponseModel>> GetAccessTokens([FromRoute] Guid id)
|
public async Task<ListResponseModel<AccessTokenResponseModel>> GetAccessTokens([FromRoute] Guid id)
|
||||||
{
|
{
|
||||||
var userId = _userService.GetProperUserId(User).Value;
|
|
||||||
var serviceAccount = await _serviceAccountRepository.GetByIdAsync(id);
|
var serviceAccount = await _serviceAccountRepository.GetByIdAsync(id);
|
||||||
if (serviceAccount == null)
|
var authorizationResult =
|
||||||
{
|
await _authorizationService.AuthorizeAsync(User, serviceAccount,
|
||||||
throw new NotFoundException();
|
ServiceAccountOperations.ReadAccessTokens);
|
||||||
}
|
|
||||||
|
|
||||||
if (!_currentContext.AccessSecretsManager(serviceAccount.OrganizationId))
|
if (!authorizationResult.Succeeded)
|
||||||
{
|
|
||||||
throw new NotFoundException();
|
|
||||||
}
|
|
||||||
|
|
||||||
var orgAdmin = await _currentContext.OrganizationAdmin(serviceAccount.OrganizationId);
|
|
||||||
var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
|
|
||||||
|
|
||||||
var hasAccess = accessClient switch
|
|
||||||
{
|
|
||||||
AccessClientType.NoAccessCheck => true,
|
|
||||||
AccessClientType.User => await _serviceAccountRepository.UserHasReadAccessToServiceAccount(id, userId),
|
|
||||||
_ => false,
|
|
||||||
};
|
|
||||||
if (!hasAccess)
|
|
||||||
{
|
{
|
||||||
throw new NotFoundException();
|
throw new NotFoundException();
|
||||||
}
|
}
|
||||||
@ -175,38 +159,29 @@ public class ServiceAccountsController : Controller
|
|||||||
public async Task<AccessTokenCreationResponseModel> CreateAccessTokenAsync([FromRoute] Guid id,
|
public async Task<AccessTokenCreationResponseModel> CreateAccessTokenAsync([FromRoute] Guid id,
|
||||||
[FromBody] AccessTokenCreateRequestModel request)
|
[FromBody] AccessTokenCreateRequestModel request)
|
||||||
{
|
{
|
||||||
var userId = _userService.GetProperUserId(User).Value;
|
var serviceAccount = await _serviceAccountRepository.GetByIdAsync(id);
|
||||||
|
var authorizationResult =
|
||||||
|
await _authorizationService.AuthorizeAsync(User, serviceAccount,
|
||||||
|
ServiceAccountOperations.CreateAccessToken);
|
||||||
|
|
||||||
var result = await _createAccessTokenCommand.CreateAsync(request.ToApiKey(id), userId);
|
if (!authorizationResult.Succeeded)
|
||||||
|
{
|
||||||
|
throw new NotFoundException();
|
||||||
|
}
|
||||||
|
|
||||||
|
var result = await _createAccessTokenCommand.CreateAsync(request.ToApiKey(id));
|
||||||
return new AccessTokenCreationResponseModel(result);
|
return new AccessTokenCreationResponseModel(result);
|
||||||
}
|
}
|
||||||
|
|
||||||
[HttpPost("{id}/access-tokens/revoke")]
|
[HttpPost("{id}/access-tokens/revoke")]
|
||||||
public async Task RevokeAccessTokensAsync(Guid id, [FromBody] RevokeAccessTokensRequest request)
|
public async Task RevokeAccessTokensAsync(Guid id, [FromBody] RevokeAccessTokensRequest request)
|
||||||
{
|
{
|
||||||
var userId = _userService.GetProperUserId(User).Value;
|
|
||||||
var serviceAccount = await _serviceAccountRepository.GetByIdAsync(id);
|
var serviceAccount = await _serviceAccountRepository.GetByIdAsync(id);
|
||||||
if (serviceAccount == null)
|
var authorizationResult =
|
||||||
{
|
await _authorizationService.AuthorizeAsync(User, serviceAccount,
|
||||||
throw new NotFoundException();
|
ServiceAccountOperations.RevokeAccessTokens);
|
||||||
}
|
|
||||||
|
|
||||||
if (!_currentContext.AccessSecretsManager(serviceAccount.OrganizationId))
|
if (!authorizationResult.Succeeded)
|
||||||
{
|
|
||||||
throw new NotFoundException();
|
|
||||||
}
|
|
||||||
|
|
||||||
var orgAdmin = await _currentContext.OrganizationAdmin(serviceAccount.OrganizationId);
|
|
||||||
var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
|
|
||||||
|
|
||||||
var hasAccess = accessClient switch
|
|
||||||
{
|
|
||||||
AccessClientType.NoAccessCheck => true,
|
|
||||||
AccessClientType.User => await _serviceAccountRepository.UserHasWriteAccessToServiceAccount(id, userId),
|
|
||||||
_ => false,
|
|
||||||
};
|
|
||||||
|
|
||||||
if (!hasAccess)
|
|
||||||
{
|
{
|
||||||
throw new NotFoundException();
|
throw new NotFoundException();
|
||||||
}
|
}
|
||||||
|
|||||||
@ -11,4 +11,7 @@ public static class ServiceAccountOperations
|
|||||||
public static readonly ServiceAccountOperationRequirement Create = new() { Name = nameof(Create) };
|
public static readonly ServiceAccountOperationRequirement Create = new() { Name = nameof(Create) };
|
||||||
public static readonly ServiceAccountOperationRequirement Read = new() { Name = nameof(Read) };
|
public static readonly ServiceAccountOperationRequirement Read = new() { Name = nameof(Read) };
|
||||||
public static readonly ServiceAccountOperationRequirement Update = new() { Name = nameof(Update) };
|
public static readonly ServiceAccountOperationRequirement Update = new() { Name = nameof(Update) };
|
||||||
|
public static readonly ServiceAccountOperationRequirement ReadAccessTokens = new() { Name = nameof(ReadAccessTokens) };
|
||||||
|
public static readonly ServiceAccountOperationRequirement CreateAccessToken = new() { Name = nameof(CreateAccessToken) };
|
||||||
|
public static readonly ServiceAccountOperationRequirement RevokeAccessTokens = new() { Name = nameof(RevokeAccessTokens) };
|
||||||
}
|
}
|
||||||
|
|||||||
@ -4,5 +4,5 @@ namespace Bit.Core.SecretsManager.Commands.AccessTokens.Interfaces;
|
|||||||
|
|
||||||
public interface ICreateAccessTokenCommand
|
public interface ICreateAccessTokenCommand
|
||||||
{
|
{
|
||||||
Task<ApiKey> CreateAsync(ApiKey apiKey, Guid userId);
|
Task<ApiKey> CreateAsync(ApiKey apiKey);
|
||||||
}
|
}
|
||||||
|
|||||||
@ -14,7 +14,6 @@ using Bit.Test.Common.AutoFixture.Attributes;
|
|||||||
using Bit.Test.Common.Helpers;
|
using Bit.Test.Common.Helpers;
|
||||||
using Microsoft.AspNetCore.Authorization;
|
using Microsoft.AspNetCore.Authorization;
|
||||||
using NSubstitute;
|
using NSubstitute;
|
||||||
using NSubstitute.ReturnsExtensions;
|
|
||||||
using Xunit;
|
using Xunit;
|
||||||
|
|
||||||
namespace Bit.Api.Test.SecretsManager.Controllers;
|
namespace Bit.Api.Test.SecretsManager.Controllers;
|
||||||
@ -26,37 +25,43 @@ public class ServiceAccountsControllerTests
|
|||||||
{
|
{
|
||||||
[Theory]
|
[Theory]
|
||||||
[BitAutoData]
|
[BitAutoData]
|
||||||
public async void GetServiceAccountsByOrganization_ReturnsEmptyList(SutProvider<ServiceAccountsController> sutProvider, Guid id)
|
public async void GetServiceAccountsByOrganization_ReturnsEmptyList(
|
||||||
|
SutProvider<ServiceAccountsController> sutProvider, Guid id)
|
||||||
{
|
{
|
||||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(id).Returns(true);
|
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(id).Returns(true);
|
||||||
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
|
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
|
||||||
var result = await sutProvider.Sut.ListByOrganizationAsync(id);
|
var result = await sutProvider.Sut.ListByOrganizationAsync(id);
|
||||||
|
|
||||||
await sutProvider.GetDependency<IServiceAccountRepository>().Received(1)
|
await sutProvider.GetDependency<IServiceAccountRepository>().Received(1)
|
||||||
.GetManyByOrganizationIdAsync(Arg.Is(AssertHelper.AssertPropertyEqual(id)), Arg.Any<Guid>(), Arg.Any<AccessClientType>());
|
.GetManyByOrganizationIdAsync(Arg.Is(AssertHelper.AssertPropertyEqual(id)), Arg.Any<Guid>(),
|
||||||
|
Arg.Any<AccessClientType>());
|
||||||
|
|
||||||
Assert.Empty(result.Data);
|
Assert.Empty(result.Data);
|
||||||
}
|
}
|
||||||
|
|
||||||
[Theory]
|
[Theory]
|
||||||
[BitAutoData]
|
[BitAutoData]
|
||||||
public async void GetServiceAccountsByOrganization_Success(SutProvider<ServiceAccountsController> sutProvider, ServiceAccount resultServiceAccount)
|
public async void GetServiceAccountsByOrganization_Success(SutProvider<ServiceAccountsController> sutProvider,
|
||||||
|
ServiceAccount resultServiceAccount)
|
||||||
{
|
{
|
||||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(default).ReturnsForAnyArgs(true);
|
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(default).ReturnsForAnyArgs(true);
|
||||||
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
|
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
|
||||||
sutProvider.GetDependency<IServiceAccountRepository>().GetManyByOrganizationIdAsync(default, default, default).ReturnsForAnyArgs(new List<ServiceAccount>() { resultServiceAccount });
|
sutProvider.GetDependency<IServiceAccountRepository>().GetManyByOrganizationIdAsync(default, default, default)
|
||||||
|
.ReturnsForAnyArgs(new List<ServiceAccount> { resultServiceAccount });
|
||||||
|
|
||||||
var result = await sutProvider.Sut.ListByOrganizationAsync(resultServiceAccount.OrganizationId);
|
var result = await sutProvider.Sut.ListByOrganizationAsync(resultServiceAccount.OrganizationId);
|
||||||
|
|
||||||
await sutProvider.GetDependency<IServiceAccountRepository>().Received(1)
|
await sutProvider.GetDependency<IServiceAccountRepository>().Received(1)
|
||||||
.GetManyByOrganizationIdAsync(Arg.Is(AssertHelper.AssertPropertyEqual(resultServiceAccount.OrganizationId)), Arg.Any<Guid>(), Arg.Any<AccessClientType>());
|
.GetManyByOrganizationIdAsync(Arg.Is(AssertHelper.AssertPropertyEqual(resultServiceAccount.OrganizationId)),
|
||||||
|
Arg.Any<Guid>(), Arg.Any<AccessClientType>());
|
||||||
Assert.NotEmpty(result.Data);
|
Assert.NotEmpty(result.Data);
|
||||||
Assert.Single(result.Data);
|
Assert.Single(result.Data);
|
||||||
}
|
}
|
||||||
|
|
||||||
[Theory]
|
[Theory]
|
||||||
[BitAutoData]
|
[BitAutoData]
|
||||||
public async void GetServiceAccountsByOrganization_AccessDenied_Throws(SutProvider<ServiceAccountsController> sutProvider, Guid orgId)
|
public async void GetServiceAccountsByOrganization_AccessDenied_Throws(
|
||||||
|
SutProvider<ServiceAccountsController> sutProvider, Guid orgId)
|
||||||
{
|
{
|
||||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(default).ReturnsForAnyArgs(false);
|
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(default).ReturnsForAnyArgs(false);
|
||||||
|
|
||||||
@ -66,14 +71,16 @@ public class ServiceAccountsControllerTests
|
|||||||
|
|
||||||
[Theory]
|
[Theory]
|
||||||
[BitAutoData]
|
[BitAutoData]
|
||||||
public async void CreateServiceAccount_NoAccess_Throws(SutProvider<ServiceAccountsController> sutProvider, ServiceAccountCreateRequestModel data, Guid organizationId)
|
public async void CreateServiceAccount_NoAccess_Throws(SutProvider<ServiceAccountsController> sutProvider,
|
||||||
|
ServiceAccountCreateRequestModel data, Guid organizationId)
|
||||||
{
|
{
|
||||||
sutProvider.GetDependency<IAuthorizationService>()
|
sutProvider.GetDependency<IAuthorizationService>()
|
||||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), data.ToServiceAccount(organizationId),
|
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), data.ToServiceAccount(organizationId),
|
||||||
Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Failed());
|
Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Failed());
|
||||||
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
|
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
|
||||||
var resultServiceAccount = data.ToServiceAccount(organizationId);
|
var resultServiceAccount = data.ToServiceAccount(organizationId);
|
||||||
sutProvider.GetDependency<ICreateServiceAccountCommand>().CreateAsync(default, default).ReturnsForAnyArgs(resultServiceAccount);
|
sutProvider.GetDependency<ICreateServiceAccountCommand>().CreateAsync(default, default)
|
||||||
|
.ReturnsForAnyArgs(resultServiceAccount);
|
||||||
|
|
||||||
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.CreateAsync(organizationId, data));
|
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.CreateAsync(organizationId, data));
|
||||||
await sutProvider.GetDependency<ICreateServiceAccountCommand>().DidNotReceiveWithAnyArgs()
|
await sutProvider.GetDependency<ICreateServiceAccountCommand>().DidNotReceiveWithAnyArgs()
|
||||||
@ -82,30 +89,35 @@ public class ServiceAccountsControllerTests
|
|||||||
|
|
||||||
[Theory]
|
[Theory]
|
||||||
[BitAutoData]
|
[BitAutoData]
|
||||||
public async void CreateServiceAccount_Success(SutProvider<ServiceAccountsController> sutProvider, ServiceAccountCreateRequestModel data, Guid organizationId)
|
public async void CreateServiceAccount_Success(SutProvider<ServiceAccountsController> sutProvider,
|
||||||
|
ServiceAccountCreateRequestModel data, Guid organizationId)
|
||||||
{
|
{
|
||||||
sutProvider.GetDependency<IAuthorizationService>()
|
sutProvider.GetDependency<IAuthorizationService>()
|
||||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), data.ToServiceAccount(organizationId),
|
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), data.ToServiceAccount(organizationId),
|
||||||
Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Success());
|
Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Success());
|
||||||
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
|
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
|
||||||
var resultServiceAccount = data.ToServiceAccount(organizationId);
|
var resultServiceAccount = data.ToServiceAccount(organizationId);
|
||||||
sutProvider.GetDependency<ICreateServiceAccountCommand>().CreateAsync(default, default).ReturnsForAnyArgs(resultServiceAccount);
|
sutProvider.GetDependency<ICreateServiceAccountCommand>().CreateAsync(default, default)
|
||||||
|
.ReturnsForAnyArgs(resultServiceAccount);
|
||||||
|
|
||||||
await sutProvider.Sut.CreateAsync(organizationId, data);
|
await sutProvider.Sut.CreateAsync(organizationId, data);
|
||||||
await sutProvider.GetDependency<ICreateServiceAccountCommand>().Received(1)
|
await sutProvider.GetDependency<ICreateServiceAccountCommand>().Received(1)
|
||||||
.CreateAsync(Arg.Any<ServiceAccount>(), Arg.Any<Guid>());
|
.CreateAsync(Arg.Any<ServiceAccount>(), Arg.Any<Guid>());
|
||||||
}
|
}
|
||||||
|
|
||||||
[Theory]
|
[Theory]
|
||||||
[BitAutoData]
|
[BitAutoData]
|
||||||
public async void UpdateServiceAccount_NoAccess_Throws(SutProvider<ServiceAccountsController> sutProvider, ServiceAccountUpdateRequestModel data, ServiceAccount existingServiceAccount)
|
public async void UpdateServiceAccount_NoAccess_Throws(SutProvider<ServiceAccountsController> sutProvider,
|
||||||
|
ServiceAccountUpdateRequestModel data, ServiceAccount existingServiceAccount)
|
||||||
{
|
{
|
||||||
sutProvider.GetDependency<IAuthorizationService>()
|
sutProvider.GetDependency<IAuthorizationService>()
|
||||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), data.ToServiceAccount(existingServiceAccount.Id),
|
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), data.ToServiceAccount(existingServiceAccount.Id),
|
||||||
Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Failed());
|
Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Failed());
|
||||||
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(existingServiceAccount.Id).ReturnsForAnyArgs(existingServiceAccount);
|
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(existingServiceAccount.Id)
|
||||||
|
.ReturnsForAnyArgs(existingServiceAccount);
|
||||||
var resultServiceAccount = data.ToServiceAccount(existingServiceAccount.Id);
|
var resultServiceAccount = data.ToServiceAccount(existingServiceAccount.Id);
|
||||||
sutProvider.GetDependency<IUpdateServiceAccountCommand>().UpdateAsync(default).ReturnsForAnyArgs(resultServiceAccount);
|
sutProvider.GetDependency<IUpdateServiceAccountCommand>().UpdateAsync(default)
|
||||||
|
.ReturnsForAnyArgs(resultServiceAccount);
|
||||||
|
|
||||||
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.UpdateAsync(existingServiceAccount.Id, data));
|
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.UpdateAsync(existingServiceAccount.Id, data));
|
||||||
await sutProvider.GetDependency<IUpdateServiceAccountCommand>().DidNotReceiveWithAnyArgs()
|
await sutProvider.GetDependency<IUpdateServiceAccountCommand>().DidNotReceiveWithAnyArgs()
|
||||||
@ -114,102 +126,136 @@ public class ServiceAccountsControllerTests
|
|||||||
|
|
||||||
[Theory]
|
[Theory]
|
||||||
[BitAutoData]
|
[BitAutoData]
|
||||||
public async void UpdateServiceAccount_Success(SutProvider<ServiceAccountsController> sutProvider, ServiceAccountUpdateRequestModel data, ServiceAccount existingServiceAccount)
|
public async void UpdateServiceAccount_Success(SutProvider<ServiceAccountsController> sutProvider,
|
||||||
|
ServiceAccountUpdateRequestModel data, ServiceAccount existingServiceAccount)
|
||||||
{
|
{
|
||||||
sutProvider.GetDependency<IAuthorizationService>()
|
sutProvider.GetDependency<IAuthorizationService>()
|
||||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), data.ToServiceAccount(existingServiceAccount.Id),
|
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), data.ToServiceAccount(existingServiceAccount.Id),
|
||||||
Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Success());
|
Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Success());
|
||||||
var resultServiceAccount = data.ToServiceAccount(existingServiceAccount.Id);
|
var resultServiceAccount = data.ToServiceAccount(existingServiceAccount.Id);
|
||||||
sutProvider.GetDependency<IUpdateServiceAccountCommand>().UpdateAsync(default).ReturnsForAnyArgs(resultServiceAccount);
|
sutProvider.GetDependency<IUpdateServiceAccountCommand>().UpdateAsync(default)
|
||||||
|
.ReturnsForAnyArgs(resultServiceAccount);
|
||||||
|
|
||||||
var result = await sutProvider.Sut.UpdateAsync(existingServiceAccount.Id, data);
|
var result = await sutProvider.Sut.UpdateAsync(existingServiceAccount.Id, data);
|
||||||
await sutProvider.GetDependency<IUpdateServiceAccountCommand>().Received(1)
|
await sutProvider.GetDependency<IUpdateServiceAccountCommand>().Received(1)
|
||||||
.UpdateAsync(Arg.Any<ServiceAccount>());
|
.UpdateAsync(Arg.Any<ServiceAccount>());
|
||||||
}
|
}
|
||||||
|
|
||||||
[Theory]
|
[Theory]
|
||||||
[BitAutoData]
|
[BitAutoData]
|
||||||
public async void CreateAccessToken_Success(SutProvider<ServiceAccountsController> sutProvider, AccessTokenCreateRequestModel data, Guid serviceAccountId)
|
public async void CreateAccessToken_NoAccess_Throws(SutProvider<ServiceAccountsController> sutProvider,
|
||||||
|
AccessTokenCreateRequestModel data, ServiceAccount serviceAccount)
|
||||||
{
|
{
|
||||||
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
|
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(serviceAccount.Id).Returns(serviceAccount);
|
||||||
var resultAccessToken = data.ToApiKey(serviceAccountId);
|
sutProvider.GetDependency<IAuthorizationService>()
|
||||||
|
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), serviceAccount,
|
||||||
|
Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Failed());
|
||||||
|
var resultAccessToken = data.ToApiKey(serviceAccount.Id);
|
||||||
|
|
||||||
sutProvider.GetDependency<ICreateAccessTokenCommand>().CreateAsync(default, default).ReturnsForAnyArgs(resultAccessToken);
|
sutProvider.GetDependency<ICreateAccessTokenCommand>().CreateAsync(default)
|
||||||
|
.ReturnsForAnyArgs(resultAccessToken);
|
||||||
|
|
||||||
var result = await sutProvider.Sut.CreateAccessTokenAsync(serviceAccountId, data);
|
await Assert.ThrowsAsync<NotFoundException>(() =>
|
||||||
|
sutProvider.Sut.CreateAccessTokenAsync(serviceAccount.Id, data));
|
||||||
|
await sutProvider.GetDependency<ICreateAccessTokenCommand>().DidNotReceiveWithAnyArgs()
|
||||||
|
.CreateAsync(Arg.Any<ApiKey>());
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory]
|
||||||
|
[BitAutoData]
|
||||||
|
public async void CreateAccessToken_Success(SutProvider<ServiceAccountsController> sutProvider,
|
||||||
|
AccessTokenCreateRequestModel data, ServiceAccount serviceAccount)
|
||||||
|
{
|
||||||
|
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(serviceAccount.Id).Returns(serviceAccount);
|
||||||
|
sutProvider.GetDependency<IAuthorizationService>()
|
||||||
|
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), serviceAccount,
|
||||||
|
Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Success());
|
||||||
|
var resultAccessToken = data.ToApiKey(serviceAccount.Id);
|
||||||
|
|
||||||
|
sutProvider.GetDependency<ICreateAccessTokenCommand>().CreateAsync(default)
|
||||||
|
.ReturnsForAnyArgs(resultAccessToken);
|
||||||
|
|
||||||
|
await sutProvider.Sut.CreateAccessTokenAsync(serviceAccount.Id, data);
|
||||||
await sutProvider.GetDependency<ICreateAccessTokenCommand>().Received(1)
|
await sutProvider.GetDependency<ICreateAccessTokenCommand>().Received(1)
|
||||||
.CreateAsync(Arg.Any<ApiKey>(), Arg.Any<Guid>());
|
.CreateAsync(Arg.Any<ApiKey>());
|
||||||
}
|
}
|
||||||
|
|
||||||
[Theory]
|
[Theory]
|
||||||
[BitAutoData]
|
[BitAutoData]
|
||||||
public async void GetAccessTokens_NoServiceAccount_ThrowsNotFound(SutProvider<ServiceAccountsController> sutProvider, Guid serviceAccountId)
|
public async void GetAccessTokens_NoAccess_Throws(SutProvider<ServiceAccountsController> sutProvider,
|
||||||
|
ServiceAccount data, ICollection<ApiKey> resultApiKeys)
|
||||||
{
|
{
|
||||||
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid());
|
|
||||||
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(default).ReturnsNull();
|
|
||||||
|
|
||||||
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.GetAccessTokens(serviceAccountId));
|
|
||||||
|
|
||||||
await sutProvider.GetDependency<IApiKeyRepository>().DidNotReceiveWithAnyArgs().GetManyByServiceAccountIdAsync(Arg.Any<Guid>());
|
|
||||||
}
|
|
||||||
|
|
||||||
[Theory]
|
|
||||||
[BitAutoData]
|
|
||||||
public async void GetAccessTokens_Admin_Success(SutProvider<ServiceAccountsController> sutProvider, ServiceAccount data, Guid userId, ICollection<ApiKey> resultApiKeys)
|
|
||||||
{
|
|
||||||
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
|
|
||||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(data.OrganizationId).Returns(true);
|
|
||||||
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(data.OrganizationId).Returns(true);
|
|
||||||
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(default).ReturnsForAnyArgs(data);
|
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(default).ReturnsForAnyArgs(data);
|
||||||
|
sutProvider.GetDependency<IAuthorizationService>()
|
||||||
|
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), data,
|
||||||
|
Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Failed());
|
||||||
|
|
||||||
foreach (var apiKey in resultApiKeys)
|
foreach (var apiKey in resultApiKeys)
|
||||||
{
|
{
|
||||||
apiKey.Scope = "[\"api.secrets\"]";
|
apiKey.Scope = "[\"api.secrets\"]";
|
||||||
}
|
}
|
||||||
sutProvider.GetDependency<IApiKeyRepository>().GetManyByServiceAccountIdAsync(default).ReturnsForAnyArgs(resultApiKeys);
|
|
||||||
|
|
||||||
var result = await sutProvider.Sut.GetAccessTokens(data.Id);
|
sutProvider.GetDependency<IApiKeyRepository>().GetManyByServiceAccountIdAsync(default)
|
||||||
await sutProvider.GetDependency<IApiKeyRepository>().Received(1).GetManyByServiceAccountIdAsync(Arg.Any<Guid>());
|
.ReturnsForAnyArgs(resultApiKeys);
|
||||||
Assert.NotEmpty(result.Data);
|
|
||||||
Assert.Equal(resultApiKeys.Count, result.Data.Count());
|
|
||||||
}
|
|
||||||
|
|
||||||
[Theory]
|
|
||||||
[BitAutoData]
|
|
||||||
public async void GetAccessTokens_User_Success(SutProvider<ServiceAccountsController> sutProvider, ServiceAccount data, Guid userId, ICollection<ApiKey> resultApiKeys)
|
|
||||||
{
|
|
||||||
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
|
|
||||||
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(data.OrganizationId).Returns(true);
|
|
||||||
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(data.OrganizationId).Returns(false);
|
|
||||||
sutProvider.GetDependency<IServiceAccountRepository>().UserHasReadAccessToServiceAccount(default, default).ReturnsForAnyArgs(true);
|
|
||||||
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(default).ReturnsForAnyArgs(data);
|
|
||||||
foreach (var apiKey in resultApiKeys)
|
|
||||||
{
|
|
||||||
apiKey.Scope = "[\"api.secrets\"]";
|
|
||||||
}
|
|
||||||
sutProvider.GetDependency<IApiKeyRepository>().GetManyByServiceAccountIdAsync(default).ReturnsForAnyArgs(resultApiKeys);
|
|
||||||
|
|
||||||
var result = await sutProvider.Sut.GetAccessTokens(data.Id);
|
|
||||||
await sutProvider.GetDependency<IApiKeyRepository>().Received(1).GetManyByServiceAccountIdAsync(Arg.Any<Guid>());
|
|
||||||
Assert.NotEmpty(result.Data);
|
|
||||||
Assert.Equal(resultApiKeys.Count, result.Data.Count());
|
|
||||||
}
|
|
||||||
|
|
||||||
[Theory]
|
|
||||||
[BitAutoData]
|
|
||||||
public async void GetAccessTokens_UserNoAccess_ThrowsNotFound(SutProvider<ServiceAccountsController> sutProvider, ServiceAccount data, Guid userId, ICollection<ApiKey> resultApiKeys)
|
|
||||||
{
|
|
||||||
sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
|
|
||||||
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(data.OrganizationId).Returns(false);
|
|
||||||
sutProvider.GetDependency<IServiceAccountRepository>().UserHasReadAccessToServiceAccount(default, default).ReturnsForAnyArgs(false);
|
|
||||||
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(default).ReturnsForAnyArgs(data);
|
|
||||||
foreach (var apiKey in resultApiKeys)
|
|
||||||
{
|
|
||||||
apiKey.Scope = "[\"api.secrets\"]";
|
|
||||||
}
|
|
||||||
sutProvider.GetDependency<IApiKeyRepository>().GetManyByServiceAccountIdAsync(default).ReturnsForAnyArgs(resultApiKeys);
|
|
||||||
|
|
||||||
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.GetAccessTokens(data.Id));
|
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.GetAccessTokens(data.Id));
|
||||||
|
await sutProvider.GetDependency<IApiKeyRepository>().DidNotReceiveWithAnyArgs()
|
||||||
|
.GetManyByServiceAccountIdAsync(Arg.Any<Guid>());
|
||||||
|
}
|
||||||
|
|
||||||
await sutProvider.GetDependency<IApiKeyRepository>().DidNotReceiveWithAnyArgs().GetManyByServiceAccountIdAsync(Arg.Any<Guid>());
|
[Theory]
|
||||||
|
[BitAutoData]
|
||||||
|
public async void GetAccessTokens_Success(SutProvider<ServiceAccountsController> sutProvider, ServiceAccount data,
|
||||||
|
ICollection<ApiKey> resultApiKeys)
|
||||||
|
{
|
||||||
|
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(default).ReturnsForAnyArgs(data);
|
||||||
|
sutProvider.GetDependency<IAuthorizationService>()
|
||||||
|
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), data,
|
||||||
|
Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Success());
|
||||||
|
|
||||||
|
foreach (var apiKey in resultApiKeys)
|
||||||
|
{
|
||||||
|
apiKey.Scope = "[\"api.secrets\"]";
|
||||||
|
}
|
||||||
|
|
||||||
|
sutProvider.GetDependency<IApiKeyRepository>().GetManyByServiceAccountIdAsync(default)
|
||||||
|
.ReturnsForAnyArgs(resultApiKeys);
|
||||||
|
|
||||||
|
var result = await sutProvider.Sut.GetAccessTokens(data.Id);
|
||||||
|
await sutProvider.GetDependency<IApiKeyRepository>().Received(1)
|
||||||
|
.GetManyByServiceAccountIdAsync(Arg.Any<Guid>());
|
||||||
|
Assert.NotEmpty(result.Data);
|
||||||
|
Assert.Equal(resultApiKeys.Count, result.Data.Count());
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory]
|
||||||
|
[BitAutoData]
|
||||||
|
public async void RevokeAccessTokens_NoAccess_Throws(SutProvider<ServiceAccountsController> sutProvider,
|
||||||
|
RevokeAccessTokensRequest data, ServiceAccount serviceAccount)
|
||||||
|
{
|
||||||
|
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(serviceAccount.Id).Returns(serviceAccount);
|
||||||
|
sutProvider.GetDependency<IAuthorizationService>()
|
||||||
|
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), serviceAccount,
|
||||||
|
Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Failed());
|
||||||
|
|
||||||
|
await Assert.ThrowsAsync<NotFoundException>(() =>
|
||||||
|
sutProvider.Sut.RevokeAccessTokensAsync(serviceAccount.Id, data));
|
||||||
|
await sutProvider.GetDependency<IRevokeAccessTokensCommand>().DidNotReceiveWithAnyArgs()
|
||||||
|
.RevokeAsync(Arg.Any<ServiceAccount>(), Arg.Any<Guid[]>());
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory]
|
||||||
|
[BitAutoData]
|
||||||
|
public async void RevokeAccessTokens_Success(SutProvider<ServiceAccountsController> sutProvider,
|
||||||
|
RevokeAccessTokensRequest data, ServiceAccount serviceAccount)
|
||||||
|
{
|
||||||
|
sutProvider.GetDependency<IServiceAccountRepository>().GetByIdAsync(serviceAccount.Id).Returns(serviceAccount);
|
||||||
|
sutProvider.GetDependency<IAuthorizationService>()
|
||||||
|
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), serviceAccount,
|
||||||
|
Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Success());
|
||||||
|
|
||||||
|
await sutProvider.Sut.RevokeAccessTokensAsync(serviceAccount.Id, data);
|
||||||
|
await sutProvider.GetDependency<IRevokeAccessTokensCommand>().Received(1)
|
||||||
|
.RevokeAsync(Arg.Any<ServiceAccount>(), Arg.Any<Guid[]>());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user