[AC-2887] Added Billing Authorization Where Missing (#4525)

* Added missing authorization validation to OrganizationBillingController endpoints

* Moved authorization validation to top of each method

* Resolved broken unit tests and added some new ones

src/Api/Billing/Controllers/OrganizationBillingController.cs

@@ -20,6 +20,11 @@ public class OrganizationBillingController(
     [HttpGet("metadata")]
     public async Task<IResult> GetMetadataAsync([FromRoute] Guid organizationId)
     {
+        if (!await currentContext.ViewBillingHistory(organizationId))
+        {
+            return TypedResults.Unauthorized();
+        }
+
         var metadata = await organizationBillingService.GetMetadata(organizationId);
 
         if (metadata == null)
@@ -35,6 +40,11 @@ public class OrganizationBillingController(
     [HttpGet("history")]
     public async Task<IResult> GetHistoryAsync([FromRoute] Guid organizationId)
     {
+        if (!await currentContext.ViewBillingHistory(organizationId))
+        {
+            return TypedResults.Unauthorized();
+        }
+
         var organization = await organizationRepository.GetByIdAsync(organizationId);
 
         if (organization == null)

src/Api/Billing/Controllers/OrganizationsController.cs

@@ -162,13 +162,13 @@ public class OrganizationsController(
     [SelfHosted(NotSelfHostedOnly = true)]
     public async Task PostSmSubscription(Guid id, [FromBody] SecretsManagerSubscriptionUpdateRequestModel model)
     {
-        var organization = await organizationRepository.GetByIdAsync(id);
+        if (!await currentContext.EditSubscription(id))
-        if (organization == null)
         {
             throw new NotFoundException();
         }
 
-        if (!await currentContext.EditSubscription(id))
+        var organization = await organizationRepository.GetByIdAsync(id);
+        if (organization == null)
         {
             throw new NotFoundException();
         }
@@ -195,13 +195,13 @@ public class OrganizationsController(
     [SelfHosted(NotSelfHostedOnly = true)]
     public async Task<ProfileOrganizationResponseModel> PostSubscribeSecretsManagerAsync(Guid id, [FromBody] SecretsManagerSubscribeRequestModel model)
     {
-        var organization = await organizationRepository.GetByIdAsync(id);
+        if (!await currentContext.EditSubscription(id))
-        if (organization == null)
         {
             throw new NotFoundException();
         }
 
-        if (!await currentContext.EditSubscription(id))
+        var organization = await organizationRepository.GetByIdAsync(id);
+        if (organization == null)
         {
             throw new NotFoundException();
         }

test/Api.Test/Billing/Controllers/OrganizationBillingControllerTests.cs

@@ -1,7 +1,11 @@
 using Bit.Api.Billing.Controllers;
 using Bit.Api.Billing.Models.Responses;
+using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Billing.Models;
 using Bit.Core.Billing.Services;
+using Bit.Core.Context;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
 using Bit.Test.Common.AutoFixture;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Microsoft.AspNetCore.Http.HttpResults;
@@ -14,11 +18,26 @@ namespace Bit.Api.Test.Billing.Controllers;
 [SutProviderCustomize]
 public class OrganizationBillingControllerTests
 {
+    [Theory, BitAutoData]
+    public async Task GetMetadataAsync_Unauthorized_ReturnsUnauthorized(
+        Guid organizationId,
+        SutProvider<OrganizationBillingController> sutProvider)
+    {
+        sutProvider.GetDependency<ICurrentContext>().ViewBillingHistory(organizationId).Returns(false);
+
+        var result = await sutProvider.Sut.GetMetadataAsync(organizationId);
+
+        Assert.IsType<UnauthorizedHttpResult>(result);
+    }
+
     [Theory, BitAutoData]
     public async Task GetMetadataAsync_MetadataNull_NotFound(
         Guid organizationId,
         SutProvider<OrganizationBillingController> sutProvider)
     {
+        sutProvider.GetDependency<ICurrentContext>().ViewBillingHistory(organizationId).Returns(true);
+        sutProvider.GetDependency<IOrganizationBillingService>().GetMetadata(organizationId).Returns((OrganizationMetadataDTO)null);
+
         var result = await sutProvider.Sut.GetMetadataAsync(organizationId);
 
         Assert.IsType<NotFound>(result);
@@ -29,6 +48,7 @@ public class OrganizationBillingControllerTests
         Guid organizationId,
         SutProvider<OrganizationBillingController> sutProvider)
     {
+        sutProvider.GetDependency<ICurrentContext>().ViewBillingHistory(organizationId).Returns(true);
         sutProvider.GetDependency<IOrganizationBillingService>().GetMetadata(organizationId)
             .Returns(new OrganizationMetadataDTO(true));
 
@@ -40,4 +60,53 @@ public class OrganizationBillingControllerTests
 
         Assert.True(organizationMetadataResponse.IsOnSecretsManagerStandalone);
     }
+
+    [Theory, BitAutoData]
+    public async Task GetHistoryAsync_Unauthorized_ReturnsUnauthorized(
+        Guid organizationId,
+        SutProvider<OrganizationBillingController> sutProvider)
+    {
+        sutProvider.GetDependency<ICurrentContext>().ViewBillingHistory(organizationId).Returns(false);
+
+        var result = await sutProvider.Sut.GetHistoryAsync(organizationId);
+
+        Assert.IsType<UnauthorizedHttpResult>(result);
+    }
+
+    [Theory, BitAutoData]
+    public async Task GetHistoryAsync_OrganizationNotFound_ReturnsNotFound(
+        Guid organizationId,
+        SutProvider<OrganizationBillingController> sutProvider)
+    {
+        sutProvider.GetDependency<ICurrentContext>().ViewBillingHistory(organizationId).Returns(true);
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organizationId).Returns((Organization)null);
+
+        var result = await sutProvider.Sut.GetHistoryAsync(organizationId);
+
+        Assert.IsType<NotFound>(result);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetHistoryAsync_OK(
+        Guid organizationId,
+        Organization organization,
+        SutProvider<OrganizationBillingController> sutProvider)
+    {
+        // Arrange
+        sutProvider.GetDependency<ICurrentContext>().ViewBillingHistory(organizationId).Returns(true);
+        sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organizationId).Returns(organization);
+
+        // Manually create a BillingHistoryInfo object to avoid requiring AutoFixture to create HttpResponseHeaders
+        var billingInfo = new BillingHistoryInfo();
+
+        sutProvider.GetDependency<IPaymentService>().GetBillingHistoryAsync(organization).Returns(billingInfo);
+
+        // Act
+        var result = await sutProvider.Sut.GetHistoryAsync(organizationId);
+
+        // Assert
+        var okResult = Assert.IsType<Ok<BillingHistoryInfo>>(result);
+        Assert.Equal(billingInfo, okResult.Value);
+    }
 }