mirror of
https://github.com/bitwarden/server.git
synced 2024-12-22 16:57:36 +01:00
[AC-1593] Auto-Grant SM access to org owner when they add SM (#3349)
* Auto grant SM access to org owner * Thomas' feedback
This commit is contained in:
parent
d9faa9a6df
commit
34a3d4a4df
@ -320,8 +320,16 @@ public class OrganizationsController : Controller
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
var result = await _upgradeOrganizationPlanCommand.UpgradePlanAsync(orgIdGuid, model.ToOrganizationUpgrade());
|
||||
return new PaymentResponseModel { Success = result.Item1, PaymentIntentClientSecret = result.Item2 };
|
||||
var (success, paymentIntentClientSecret) = await _upgradeOrganizationPlanCommand.UpgradePlanAsync(orgIdGuid, model.ToOrganizationUpgrade());
|
||||
|
||||
if (model.UseSecretsManager && success)
|
||||
{
|
||||
var userId = _userService.GetProperUserId(User).Value;
|
||||
|
||||
await TryGrantOwnerAccessToSecretsManagerAsync(orgIdGuid, userId);
|
||||
}
|
||||
|
||||
return new PaymentResponseModel { Success = success, PaymentIntentClientSecret = paymentIntentClientSecret };
|
||||
}
|
||||
|
||||
[HttpPost("{id}/subscription")]
|
||||
@ -374,6 +382,9 @@ public class OrganizationsController : Controller
|
||||
model.AdditionalServiceAccounts);
|
||||
|
||||
var userId = _userService.GetProperUserId(User).Value;
|
||||
|
||||
await TryGrantOwnerAccessToSecretsManagerAsync(organization.Id, userId);
|
||||
|
||||
var organizationDetails = await _organizationUserRepository.GetDetailsByUserAsync(userId, organization.Id,
|
||||
OrganizationUserStatusType.Confirmed);
|
||||
|
||||
@ -786,4 +797,15 @@ public class OrganizationsController : Controller
|
||||
await _organizationService.UpdateAsync(model.ToOrganization(organization));
|
||||
return new OrganizationResponseModel(organization);
|
||||
}
|
||||
|
||||
private async Task TryGrantOwnerAccessToSecretsManagerAsync(Guid organizationId, Guid userId)
|
||||
{
|
||||
var organizationUser = await _organizationUserRepository.GetByOrganizationAsync(organizationId, userId);
|
||||
|
||||
if (organizationUser != null)
|
||||
{
|
||||
organizationUser.AccessSecretsManager = true;
|
||||
await _organizationUserRepository.ReplaceAsync(organizationUser);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -1,6 +1,8 @@
|
||||
using System.Security.Claims;
|
||||
using AutoFixture.Xunit2;
|
||||
using Bit.Api.AdminConsole.Controllers;
|
||||
using Bit.Api.AdminConsole.Models.Request.Organizations;
|
||||
using Bit.Api.Models.Request.Organizations;
|
||||
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationApiKeys.Interfaces;
|
||||
using Bit.Core.AdminConsole.Repositories;
|
||||
using Bit.Core.Auth.Entities;
|
||||
@ -10,13 +12,17 @@ using Bit.Core.Auth.Repositories;
|
||||
using Bit.Core.Auth.Services;
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.Models.Business;
|
||||
using Bit.Core.Models.Data.Organizations.OrganizationUsers;
|
||||
using Bit.Core.OrganizationFeatures.OrganizationLicenses.Interfaces;
|
||||
using Bit.Core.OrganizationFeatures.OrganizationSubscriptions.Interface;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.Services;
|
||||
using Bit.Core.Settings;
|
||||
using NSubstitute;
|
||||
using NSubstitute.ReturnsExtensions;
|
||||
using Xunit;
|
||||
|
||||
namespace Bit.Api.Test.AdminConsole.Controllers;
|
||||
@ -145,4 +151,194 @@ public class OrganizationsControllerTests : IDisposable
|
||||
await _organizationService.DeleteUserAsync(orgId, user.Id);
|
||||
await _organizationService.Received(1).DeleteUserAsync(orgId, user.Id);
|
||||
}
|
||||
|
||||
[Theory, AutoData]
|
||||
public async Task OrganizationsController_PostUpgrade_UserCannotEditSubscription_ThrowsNotFoundException(
|
||||
Guid organizationId,
|
||||
OrganizationUpgradeRequestModel model)
|
||||
{
|
||||
_currentContext.EditSubscription(organizationId).Returns(false);
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(() => _sut.PostUpgrade(organizationId.ToString(), model));
|
||||
}
|
||||
|
||||
[Theory, AutoData]
|
||||
public async Task OrganizationsController_PostUpgrade_NonSMUpgrade_ReturnsCorrectResponse(
|
||||
Guid organizationId,
|
||||
OrganizationUpgradeRequestModel model,
|
||||
bool success,
|
||||
string paymentIntentClientSecret)
|
||||
{
|
||||
model.UseSecretsManager = false;
|
||||
|
||||
_currentContext.EditSubscription(organizationId).Returns(true);
|
||||
|
||||
_upgradeOrganizationPlanCommand.UpgradePlanAsync(organizationId, Arg.Any<OrganizationUpgrade>())
|
||||
.Returns(new Tuple<bool, string>(success, paymentIntentClientSecret));
|
||||
|
||||
var response = await _sut.PostUpgrade(organizationId.ToString(), model);
|
||||
|
||||
Assert.Equal(success, response.Success);
|
||||
Assert.Equal(paymentIntentClientSecret, response.PaymentIntentClientSecret);
|
||||
}
|
||||
|
||||
[Theory, AutoData]
|
||||
public async Task OrganizationsController_PostUpgrade_SMUpgrade_ProvidesAccess_ReturnsCorrectResponse(
|
||||
Guid organizationId,
|
||||
Guid userId,
|
||||
OrganizationUpgradeRequestModel model,
|
||||
bool success,
|
||||
string paymentIntentClientSecret,
|
||||
OrganizationUser organizationUser)
|
||||
{
|
||||
model.UseSecretsManager = true;
|
||||
organizationUser.AccessSecretsManager = false;
|
||||
|
||||
_currentContext.EditSubscription(organizationId).Returns(true);
|
||||
|
||||
_upgradeOrganizationPlanCommand.UpgradePlanAsync(organizationId, Arg.Any<OrganizationUpgrade>())
|
||||
.Returns(new Tuple<bool, string>(success, paymentIntentClientSecret));
|
||||
|
||||
_userService.GetProperUserId(Arg.Any<ClaimsPrincipal>()).Returns(userId);
|
||||
|
||||
_organizationUserRepository.GetByOrganizationAsync(organizationId, userId).Returns(organizationUser);
|
||||
|
||||
var response = await _sut.PostUpgrade(organizationId.ToString(), model);
|
||||
|
||||
Assert.Equal(success, response.Success);
|
||||
Assert.Equal(paymentIntentClientSecret, response.PaymentIntentClientSecret);
|
||||
|
||||
await _organizationUserRepository.Received(1).ReplaceAsync(Arg.Is<OrganizationUser>(orgUser =>
|
||||
orgUser.Id == organizationUser.Id && orgUser.AccessSecretsManager == true));
|
||||
}
|
||||
|
||||
[Theory, AutoData]
|
||||
public async Task OrganizationsController_PostUpgrade_SMUpgrade_NullOrgUser_ReturnsCorrectResponse(
|
||||
Guid organizationId,
|
||||
Guid userId,
|
||||
OrganizationUpgradeRequestModel model,
|
||||
bool success,
|
||||
string paymentIntentClientSecret)
|
||||
{
|
||||
model.UseSecretsManager = true;
|
||||
|
||||
_currentContext.EditSubscription(organizationId).Returns(true);
|
||||
|
||||
_upgradeOrganizationPlanCommand.UpgradePlanAsync(organizationId, Arg.Any<OrganizationUpgrade>())
|
||||
.Returns(new Tuple<bool, string>(success, paymentIntentClientSecret));
|
||||
|
||||
_userService.GetProperUserId(Arg.Any<ClaimsPrincipal>()).Returns(userId);
|
||||
|
||||
_organizationUserRepository.GetByOrganizationAsync(organizationId, userId).ReturnsNull();
|
||||
|
||||
var response = await _sut.PostUpgrade(organizationId.ToString(), model);
|
||||
|
||||
Assert.Equal(success, response.Success);
|
||||
Assert.Equal(paymentIntentClientSecret, response.PaymentIntentClientSecret);
|
||||
|
||||
await _organizationUserRepository.DidNotReceiveWithAnyArgs().ReplaceAsync(Arg.Any<OrganizationUser>());
|
||||
}
|
||||
|
||||
[Theory, AutoData]
|
||||
public async Task OrganizationsController_PostSubscribeSecretsManagerAsync_NullOrg_ThrowsNotFoundException(
|
||||
Guid organizationId,
|
||||
SecretsManagerSubscribeRequestModel model)
|
||||
{
|
||||
_organizationRepository.GetByIdAsync(organizationId).ReturnsNull();
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(() => _sut.PostSubscribeSecretsManagerAsync(organizationId, model));
|
||||
}
|
||||
|
||||
[Theory, AutoData]
|
||||
public async Task OrganizationsController_PostSubscribeSecretsManagerAsync_UserCannotEditSubscription_ThrowsNotFoundException(
|
||||
Guid organizationId,
|
||||
SecretsManagerSubscribeRequestModel model,
|
||||
Organization organization)
|
||||
{
|
||||
_organizationRepository.GetByIdAsync(organizationId).Returns(organization);
|
||||
|
||||
_currentContext.EditSubscription(organizationId).Returns(false);
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(() => _sut.PostSubscribeSecretsManagerAsync(organizationId, model));
|
||||
}
|
||||
|
||||
[Theory, AutoData]
|
||||
public async Task OrganizationsController_PostSubscribeSecretsManagerAsync_ProvidesAccess_ReturnsCorrectResponse(
|
||||
Guid organizationId,
|
||||
SecretsManagerSubscribeRequestModel model,
|
||||
Organization organization,
|
||||
Guid userId,
|
||||
OrganizationUser organizationUser,
|
||||
OrganizationUserOrganizationDetails organizationUserOrganizationDetails)
|
||||
{
|
||||
organizationUser.AccessSecretsManager = false;
|
||||
|
||||
var ssoConfigurationData = new SsoConfigurationData
|
||||
{
|
||||
MemberDecryptionType = MemberDecryptionType.KeyConnector,
|
||||
KeyConnectorUrl = "https://example.com"
|
||||
};
|
||||
|
||||
organizationUserOrganizationDetails.Permissions = string.Empty;
|
||||
organizationUserOrganizationDetails.SsoConfig = ssoConfigurationData.Serialize();
|
||||
|
||||
_organizationRepository.GetByIdAsync(organizationId).Returns(organization);
|
||||
|
||||
_currentContext.EditSubscription(organizationId).Returns(true);
|
||||
|
||||
_userService.GetProperUserId(Arg.Any<ClaimsPrincipal>()).Returns(userId);
|
||||
|
||||
_organizationUserRepository.GetByOrganizationAsync(organization.Id, userId).Returns(organizationUser);
|
||||
|
||||
_organizationUserRepository.GetDetailsByUserAsync(userId, organization.Id, OrganizationUserStatusType.Confirmed)
|
||||
.Returns(organizationUserOrganizationDetails);
|
||||
|
||||
var response = await _sut.PostSubscribeSecretsManagerAsync(organizationId, model);
|
||||
|
||||
Assert.Equal(response.Id, organizationUserOrganizationDetails.OrganizationId);
|
||||
Assert.Equal(response.Name, organizationUserOrganizationDetails.Name);
|
||||
|
||||
await _addSecretsManagerSubscriptionCommand.Received(1)
|
||||
.SignUpAsync(organization, model.AdditionalSmSeats, model.AdditionalServiceAccounts);
|
||||
await _organizationUserRepository.Received(1).ReplaceAsync(Arg.Is<OrganizationUser>(orgUser =>
|
||||
orgUser.Id == organizationUser.Id && orgUser.AccessSecretsManager == true));
|
||||
}
|
||||
|
||||
[Theory, AutoData]
|
||||
public async Task OrganizationsController_PostSubscribeSecretsManagerAsync_NullOrgUser_ReturnsCorrectResponse(
|
||||
Guid organizationId,
|
||||
SecretsManagerSubscribeRequestModel model,
|
||||
Organization organization,
|
||||
Guid userId,
|
||||
OrganizationUserOrganizationDetails organizationUserOrganizationDetails)
|
||||
{
|
||||
var ssoConfigurationData = new SsoConfigurationData
|
||||
{
|
||||
MemberDecryptionType = MemberDecryptionType.KeyConnector,
|
||||
KeyConnectorUrl = "https://example.com"
|
||||
};
|
||||
|
||||
organizationUserOrganizationDetails.Permissions = string.Empty;
|
||||
organizationUserOrganizationDetails.SsoConfig = ssoConfigurationData.Serialize();
|
||||
|
||||
_organizationRepository.GetByIdAsync(organizationId).Returns(organization);
|
||||
|
||||
_currentContext.EditSubscription(organizationId).Returns(true);
|
||||
|
||||
_userService.GetProperUserId(Arg.Any<ClaimsPrincipal>()).Returns(userId);
|
||||
|
||||
_organizationUserRepository.GetByOrganizationAsync(organization.Id, userId).ReturnsNull();
|
||||
|
||||
_organizationUserRepository.GetDetailsByUserAsync(userId, organization.Id, OrganizationUserStatusType.Confirmed)
|
||||
.Returns(organizationUserOrganizationDetails);
|
||||
|
||||
var response = await _sut.PostSubscribeSecretsManagerAsync(organizationId, model);
|
||||
|
||||
Assert.Equal(response.Id, organizationUserOrganizationDetails.OrganizationId);
|
||||
Assert.Equal(response.Name, organizationUserOrganizationDetails.Name);
|
||||
|
||||
await _addSecretsManagerSubscriptionCommand.Received(1)
|
||||
.SignUpAsync(organization, model.AdditionalSmSeats, model.AdditionalServiceAccounts);
|
||||
await _organizationUserRepository.DidNotReceiveWithAnyArgs().ReplaceAsync(Arg.Any<OrganizationUser>());
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user