mirror of
https://github.com/bitwarden/server.git
synced 2024-12-22 16:57:36 +01:00
[SM-390] Project Access Policies (#2507)
The purpose of this PR is to create server endpoints for creating, reading, updating, and deleting access policies for projects.
This commit is contained in:
parent
ae647bbf44
commit
53ba2eeb18
@ -0,0 +1,45 @@
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.SecretManagerFeatures.AccessPolicies.Interfaces;
|
||||
|
||||
namespace Bit.Commercial.Core.SecretManagerFeatures.AccessPolicies;
|
||||
|
||||
public class CreateAccessPoliciesCommand : ICreateAccessPoliciesCommand
|
||||
{
|
||||
private readonly IAccessPolicyRepository _accessPolicyRepository;
|
||||
|
||||
public CreateAccessPoliciesCommand(IAccessPolicyRepository accessPolicyRepository)
|
||||
{
|
||||
_accessPolicyRepository = accessPolicyRepository;
|
||||
}
|
||||
|
||||
public async Task<List<BaseAccessPolicy>> CreateAsync(List<BaseAccessPolicy> accessPolicies)
|
||||
{
|
||||
var distinctAccessPolicies = accessPolicies.DistinctBy(baseAccessPolicy =>
|
||||
{
|
||||
return baseAccessPolicy switch
|
||||
{
|
||||
UserProjectAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.OrganizationUserId, ap.GrantedProjectId),
|
||||
GroupProjectAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.GroupId, ap.GrantedProjectId),
|
||||
ServiceAccountProjectAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.ServiceAccountId, ap.GrantedProjectId),
|
||||
_ => throw new ArgumentException("Unsupported access policy type provided.", nameof(baseAccessPolicy))
|
||||
};
|
||||
}).ToList();
|
||||
|
||||
if (accessPolicies.Count != distinctAccessPolicies.Count)
|
||||
{
|
||||
throw new BadRequestException("Resources must be unique");
|
||||
}
|
||||
|
||||
foreach (var accessPolicy in accessPolicies)
|
||||
{
|
||||
if (await _accessPolicyRepository.AccessPolicyExists(accessPolicy))
|
||||
{
|
||||
throw new BadRequestException("Resource already exists");
|
||||
}
|
||||
}
|
||||
|
||||
return await _accessPolicyRepository.CreateManyAsync(accessPolicies);
|
||||
}
|
||||
}
|
@ -0,0 +1,27 @@
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.SecretManagerFeatures.AccessPolicies.Interfaces;
|
||||
|
||||
namespace Bit.Commercial.Core.SecretManagerFeatures.AccessPolicies;
|
||||
|
||||
public class DeleteAccessPolicyCommand : IDeleteAccessPolicyCommand
|
||||
{
|
||||
private readonly IAccessPolicyRepository _accessPolicyRepository;
|
||||
|
||||
public DeleteAccessPolicyCommand(IAccessPolicyRepository accessPolicyRepository)
|
||||
{
|
||||
_accessPolicyRepository = accessPolicyRepository;
|
||||
}
|
||||
|
||||
|
||||
public async Task DeleteAsync(Guid id)
|
||||
{
|
||||
var accessPolicy = await _accessPolicyRepository.GetByIdAsync(id);
|
||||
if (accessPolicy == null)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
await _accessPolicyRepository.DeleteAsync(id);
|
||||
}
|
||||
}
|
@ -0,0 +1,32 @@
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.SecretManagerFeatures.AccessPolicies.Interfaces;
|
||||
|
||||
namespace Bit.Commercial.Core.SecretManagerFeatures.AccessPolicies;
|
||||
|
||||
public class UpdateAccessPolicyCommand : IUpdateAccessPolicyCommand
|
||||
{
|
||||
private readonly IAccessPolicyRepository _accessPolicyRepository;
|
||||
|
||||
public UpdateAccessPolicyCommand(IAccessPolicyRepository accessPolicyRepository)
|
||||
{
|
||||
_accessPolicyRepository = accessPolicyRepository;
|
||||
}
|
||||
|
||||
public async Task<BaseAccessPolicy> UpdateAsync(Guid id, bool read, bool write)
|
||||
{
|
||||
var accessPolicy = await _accessPolicyRepository.GetByIdAsync(id);
|
||||
if (accessPolicy == null)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
accessPolicy.Read = read;
|
||||
accessPolicy.Write = write;
|
||||
accessPolicy.RevisionDate = DateTime.UtcNow;
|
||||
|
||||
await _accessPolicyRepository.ReplaceAsync(accessPolicy);
|
||||
return accessPolicy;
|
||||
}
|
||||
}
|
@ -1,7 +1,9 @@
|
||||
using Bit.Commercial.Core.SecretManagerFeatures.AccessTokens;
|
||||
using Bit.Commercial.Core.SecretManagerFeatures.AccessPolicies;
|
||||
using Bit.Commercial.Core.SecretManagerFeatures.AccessTokens;
|
||||
using Bit.Commercial.Core.SecretManagerFeatures.Projects;
|
||||
using Bit.Commercial.Core.SecretManagerFeatures.Secrets;
|
||||
using Bit.Commercial.Core.SecretManagerFeatures.ServiceAccounts;
|
||||
using Bit.Core.SecretManagerFeatures.AccessPolicies.Interfaces;
|
||||
using Bit.Core.SecretManagerFeatures.AccessTokens.Interfaces;
|
||||
using Bit.Core.SecretManagerFeatures.Projects.Interfaces;
|
||||
using Bit.Core.SecretManagerFeatures.Secrets.Interfaces;
|
||||
@ -23,6 +25,8 @@ public static class SecretManagerCollectionExtensions
|
||||
services.AddScoped<ICreateServiceAccountCommand, CreateServiceAccountCommand>();
|
||||
services.AddScoped<IUpdateServiceAccountCommand, UpdateServiceAccountCommand>();
|
||||
services.AddScoped<ICreateAccessTokenCommand, CreateAccessTokenCommand>();
|
||||
services.AddScoped<ICreateAccessPoliciesCommand, CreateAccessPoliciesCommand>();
|
||||
services.AddScoped<IUpdateAccessPolicyCommand, UpdateAccessPolicyCommand>();
|
||||
services.AddScoped<IDeleteAccessPolicyCommand, DeleteAccessPolicyCommand>();
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1,6 +1,5 @@
|
||||
using Bit.Commercial.Infrastructure.EntityFramework.Repositories;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Infrastructure.EntityFramework.Repositories;
|
||||
using Microsoft.Extensions.DependencyInjection;
|
||||
|
||||
namespace Bit.Commercial.Infrastructure.EntityFramework;
|
||||
@ -15,4 +14,3 @@ public static class CommercialEFServiceCollectionExtensions
|
||||
services.AddSingleton<IServiceAccountRepository, ServiceAccountRepository>();
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -0,0 +1,171 @@
|
||||
using AutoMapper;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Infrastructure.EntityFramework.Models;
|
||||
using Bit.Infrastructure.EntityFramework.Repositories;
|
||||
using Microsoft.EntityFrameworkCore;
|
||||
using Microsoft.Extensions.DependencyInjection;
|
||||
|
||||
namespace Bit.Commercial.Infrastructure.EntityFramework.Repositories;
|
||||
|
||||
public class AccessPolicyRepository : BaseEntityFrameworkRepository, IAccessPolicyRepository
|
||||
{
|
||||
public AccessPolicyRepository(IServiceScopeFactory serviceScopeFactory, IMapper mapper) : base(serviceScopeFactory,
|
||||
mapper)
|
||||
{
|
||||
}
|
||||
|
||||
public async Task<List<Core.Entities.BaseAccessPolicy>> CreateManyAsync(List<Core.Entities.BaseAccessPolicy> baseAccessPolicies)
|
||||
{
|
||||
using (var scope = ServiceScopeFactory.CreateScope())
|
||||
{
|
||||
var dbContext = GetDatabaseContext(scope);
|
||||
foreach (var baseAccessPolicy in baseAccessPolicies)
|
||||
{
|
||||
baseAccessPolicy.SetNewId();
|
||||
switch (baseAccessPolicy)
|
||||
{
|
||||
case Core.Entities.UserProjectAccessPolicy accessPolicy:
|
||||
{
|
||||
var entity =
|
||||
Mapper.Map<UserProjectAccessPolicy>(accessPolicy);
|
||||
await dbContext.AddAsync(entity);
|
||||
break;
|
||||
}
|
||||
case Core.Entities.GroupProjectAccessPolicy accessPolicy:
|
||||
{
|
||||
var entity = Mapper.Map<GroupProjectAccessPolicy>(accessPolicy);
|
||||
await dbContext.AddAsync(entity);
|
||||
break;
|
||||
}
|
||||
case Core.Entities.ServiceAccountProjectAccessPolicy accessPolicy:
|
||||
{
|
||||
var entity = Mapper.Map<ServiceAccountProjectAccessPolicy>(accessPolicy);
|
||||
await dbContext.AddAsync(entity);
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
await dbContext.SaveChangesAsync();
|
||||
return baseAccessPolicies;
|
||||
}
|
||||
}
|
||||
|
||||
public async Task<bool> AccessPolicyExists(Core.Entities.BaseAccessPolicy baseAccessPolicy)
|
||||
{
|
||||
using (var scope = ServiceScopeFactory.CreateScope())
|
||||
{
|
||||
var dbContext = GetDatabaseContext(scope);
|
||||
switch (baseAccessPolicy)
|
||||
{
|
||||
case Core.Entities.UserProjectAccessPolicy accessPolicy:
|
||||
{
|
||||
var policy = await dbContext.UserProjectAccessPolicy
|
||||
.Where(c => c.OrganizationUserId == accessPolicy.OrganizationUserId &&
|
||||
c.GrantedProjectId == accessPolicy.GrantedProjectId)
|
||||
.FirstOrDefaultAsync();
|
||||
return policy != null;
|
||||
}
|
||||
case Core.Entities.GroupProjectAccessPolicy accessPolicy:
|
||||
{
|
||||
var policy = await dbContext.GroupProjectAccessPolicy
|
||||
.Where(c => c.GroupId == accessPolicy.GroupId &&
|
||||
c.GrantedProjectId == accessPolicy.GrantedProjectId)
|
||||
.FirstOrDefaultAsync();
|
||||
return policy != null;
|
||||
}
|
||||
case Core.Entities.ServiceAccountProjectAccessPolicy accessPolicy:
|
||||
{
|
||||
var policy = await dbContext.ServiceAccountProjectAccessPolicy
|
||||
.Where(c => c.ServiceAccountId == accessPolicy.ServiceAccountId &&
|
||||
c.GrantedProjectId == accessPolicy.GrantedProjectId)
|
||||
.FirstOrDefaultAsync();
|
||||
return policy != null;
|
||||
}
|
||||
default:
|
||||
throw new ArgumentException("Unsupported access policy type provided.", nameof(baseAccessPolicy));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public async Task<Core.Entities.BaseAccessPolicy?> GetByIdAsync(Guid id)
|
||||
{
|
||||
using (var scope = ServiceScopeFactory.CreateScope())
|
||||
{
|
||||
var dbContext = GetDatabaseContext(scope);
|
||||
var entity = await dbContext.AccessPolicies.Where(ap => ap.Id == id)
|
||||
.Include(ap => ((UserProjectAccessPolicy)ap).OrganizationUser.User)
|
||||
.Include(ap => ((GroupProjectAccessPolicy)ap).Group)
|
||||
.Include(ap => ((ServiceAccountProjectAccessPolicy)ap).ServiceAccount)
|
||||
.FirstOrDefaultAsync();
|
||||
|
||||
if (entity == null)
|
||||
{
|
||||
return null;
|
||||
}
|
||||
|
||||
return MapToCore(entity);
|
||||
}
|
||||
}
|
||||
|
||||
public async Task ReplaceAsync(Core.Entities.BaseAccessPolicy baseAccessPolicy)
|
||||
{
|
||||
using (var scope = ServiceScopeFactory.CreateScope())
|
||||
{
|
||||
var dbContext = GetDatabaseContext(scope);
|
||||
var entity = await dbContext.AccessPolicies.FindAsync(baseAccessPolicy.Id);
|
||||
if (entity != null)
|
||||
{
|
||||
dbContext.AccessPolicies.Attach(entity);
|
||||
entity.Write = baseAccessPolicy.Write;
|
||||
entity.Read = baseAccessPolicy.Read;
|
||||
entity.RevisionDate = baseAccessPolicy.RevisionDate;
|
||||
await dbContext.SaveChangesAsync();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public async Task<IEnumerable<Core.Entities.BaseAccessPolicy>?> GetManyByProjectId(Guid id)
|
||||
{
|
||||
using (var scope = ServiceScopeFactory.CreateScope())
|
||||
{
|
||||
var dbContext = GetDatabaseContext(scope);
|
||||
|
||||
var entities = await dbContext.AccessPolicies.Where(ap =>
|
||||
((UserProjectAccessPolicy)ap).GrantedProjectId == id ||
|
||||
((GroupProjectAccessPolicy)ap).GrantedProjectId == id ||
|
||||
((ServiceAccountProjectAccessPolicy)ap).GrantedProjectId == id)
|
||||
.Include(ap => ((UserProjectAccessPolicy)ap).OrganizationUser.User)
|
||||
.Include(ap => ((GroupProjectAccessPolicy)ap).Group)
|
||||
.Include(ap => ((ServiceAccountProjectAccessPolicy)ap).ServiceAccount)
|
||||
.ToListAsync();
|
||||
|
||||
return !entities.Any() ? null : entities.Select(MapToCore);
|
||||
}
|
||||
}
|
||||
|
||||
public async Task DeleteAsync(Guid id)
|
||||
{
|
||||
using (var scope = ServiceScopeFactory.CreateScope())
|
||||
{
|
||||
var dbContext = GetDatabaseContext(scope);
|
||||
var entity = await dbContext.AccessPolicies.FindAsync(id);
|
||||
if (entity != null)
|
||||
{
|
||||
dbContext.Remove(entity);
|
||||
await dbContext.SaveChangesAsync();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
private Core.Entities.BaseAccessPolicy MapToCore(BaseAccessPolicy baseAccessPolicyEntity)
|
||||
{
|
||||
return baseAccessPolicyEntity switch
|
||||
{
|
||||
UserProjectAccessPolicy ap => Mapper.Map<Core.Entities.UserProjectAccessPolicy>(ap),
|
||||
GroupProjectAccessPolicy ap => Mapper.Map<Core.Entities.GroupProjectAccessPolicy>(ap),
|
||||
ServiceAccountProjectAccessPolicy ap => Mapper.Map<Core.Entities.ServiceAccountProjectAccessPolicy>(ap),
|
||||
_ => throw new ArgumentException("Unsupported access policy type")
|
||||
};
|
||||
}
|
||||
}
|
@ -0,0 +1,126 @@
|
||||
using Bit.Commercial.Core.SecretManagerFeatures.AccessPolicies;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Test.Common.AutoFixture;
|
||||
using Bit.Test.Common.AutoFixture.Attributes;
|
||||
using Bit.Test.Common.Helpers;
|
||||
using NSubstitute;
|
||||
using Xunit;
|
||||
|
||||
namespace Bit.Commercial.Core.Test.SecretManagerFeatures.AccessPolicies;
|
||||
|
||||
[SutProviderCustomize]
|
||||
public class CreateAccessPoliciesCommandTests
|
||||
{
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task CreateAsync_CallsCreate(List<UserProjectAccessPolicy> userProjectAccessPolicies,
|
||||
List<GroupProjectAccessPolicy> groupProjectAccessPolicies,
|
||||
List<ServiceAccountProjectAccessPolicy> serviceAccountProjectAccessPolicies,
|
||||
SutProvider<CreateAccessPoliciesCommand> sutProvider)
|
||||
{
|
||||
var data = new List<BaseAccessPolicy>();
|
||||
data.AddRange(userProjectAccessPolicies);
|
||||
data.AddRange(groupProjectAccessPolicies);
|
||||
data.AddRange(serviceAccountProjectAccessPolicies);
|
||||
|
||||
await sutProvider.Sut.CreateAsync(data);
|
||||
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1)
|
||||
.CreateManyAsync(Arg.Is(AssertHelper.AssertPropertyEqual(data)));
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task CreateAsync_AlreadyExists_Throws_BadRequestException(
|
||||
List<UserProjectAccessPolicy> userProjectAccessPolicies,
|
||||
List<GroupProjectAccessPolicy> groupProjectAccessPolicies,
|
||||
List<ServiceAccountProjectAccessPolicy> serviceAccountProjectAccessPolicies,
|
||||
SutProvider<CreateAccessPoliciesCommand> sutProvider)
|
||||
{
|
||||
var data = new List<BaseAccessPolicy>();
|
||||
data.AddRange(userProjectAccessPolicies);
|
||||
data.AddRange(groupProjectAccessPolicies);
|
||||
data.AddRange(serviceAccountProjectAccessPolicies);
|
||||
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().AccessPolicyExists(Arg.Any<BaseAccessPolicy>())
|
||||
.Returns(true);
|
||||
|
||||
var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.CreateAsync(data));
|
||||
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().CreateManyAsync(default);
|
||||
}
|
||||
|
||||
|
||||
[Theory]
|
||||
[BitAutoData(true, false, false)]
|
||||
[BitAutoData(false, true, false)]
|
||||
[BitAutoData(true, true, false)]
|
||||
[BitAutoData(false, false, true)]
|
||||
[BitAutoData(true, false, true)]
|
||||
[BitAutoData(false, true, true)]
|
||||
[BitAutoData(true, true, true)]
|
||||
public async Task CreateAsync_NotUnique_ThrowsException(
|
||||
bool testUserPolicies,
|
||||
bool testGroupPolicies,
|
||||
bool testServiceAccountPolicies,
|
||||
List<UserProjectAccessPolicy> userProjectAccessPolicies,
|
||||
List<GroupProjectAccessPolicy> groupProjectAccessPolicies,
|
||||
List<ServiceAccountProjectAccessPolicy> serviceAccountProjectAccessPolicies,
|
||||
SutProvider<CreateAccessPoliciesCommand> sutProvider
|
||||
)
|
||||
{
|
||||
var data = new List<BaseAccessPolicy>();
|
||||
data.AddRange(userProjectAccessPolicies);
|
||||
data.AddRange(groupProjectAccessPolicies);
|
||||
data.AddRange(serviceAccountProjectAccessPolicies);
|
||||
|
||||
if (testUserPolicies)
|
||||
{
|
||||
var mockUserPolicy = new UserProjectAccessPolicy
|
||||
{
|
||||
OrganizationUserId = Guid.NewGuid(),
|
||||
GrantedProjectId = Guid.NewGuid()
|
||||
};
|
||||
data.Add(mockUserPolicy);
|
||||
|
||||
// Add a duplicate policy
|
||||
data.Add(mockUserPolicy);
|
||||
}
|
||||
|
||||
if (testGroupPolicies)
|
||||
{
|
||||
var mockGroupPolicy = new GroupProjectAccessPolicy
|
||||
{
|
||||
GroupId = Guid.NewGuid(),
|
||||
GrantedProjectId = Guid.NewGuid()
|
||||
};
|
||||
data.Add(mockGroupPolicy);
|
||||
|
||||
// Add a duplicate policy
|
||||
data.Add(mockGroupPolicy);
|
||||
}
|
||||
|
||||
if (testServiceAccountPolicies)
|
||||
{
|
||||
var mockServiceAccountPolicy = new ServiceAccountProjectAccessPolicy
|
||||
{
|
||||
ServiceAccountId = Guid.NewGuid(),
|
||||
GrantedProjectId = Guid.NewGuid()
|
||||
};
|
||||
data.Add(mockServiceAccountPolicy);
|
||||
|
||||
// Add a duplicate policy
|
||||
data.Add(mockServiceAccountPolicy);
|
||||
}
|
||||
|
||||
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().AccessPolicyExists(Arg.Any<BaseAccessPolicy>())
|
||||
.Returns(true);
|
||||
|
||||
var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.CreateAsync(data));
|
||||
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().CreateManyAsync(default);
|
||||
}
|
||||
}
|
@ -0,0 +1,38 @@
|
||||
using Bit.Commercial.Core.SecretManagerFeatures.AccessPolicies;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Test.Common.AutoFixture;
|
||||
using Bit.Test.Common.AutoFixture.Attributes;
|
||||
using NSubstitute;
|
||||
using NSubstitute.ReturnsExtensions;
|
||||
using Xunit;
|
||||
|
||||
namespace Bit.Commercial.Core.Test.SecretManagerFeatures.AccessPolicies;
|
||||
|
||||
[SutProviderCustomize]
|
||||
public class DeleteAccessPolicyCommandTests
|
||||
{
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task DeleteAccessPolicy_Throws_NotFoundException(Guid data,
|
||||
SutProvider<DeleteAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data).ReturnsNull();
|
||||
var exception = await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.DeleteAsync(data));
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().DeleteAsync(default);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task DeleteAccessPolicy_Success(Guid data,
|
||||
SutProvider<DeleteAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data)
|
||||
.Returns(new UserProjectAccessPolicy { Id = data });
|
||||
|
||||
await sutProvider.Sut.DeleteAsync(data);
|
||||
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1).DeleteAsync(Arg.Is(data));
|
||||
}
|
||||
}
|
@ -0,0 +1,40 @@
|
||||
using Bit.Commercial.Core.SecretManagerFeatures.AccessPolicies;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Test.Common.AutoFixture;
|
||||
using Bit.Test.Common.AutoFixture.Attributes;
|
||||
using Bit.Test.Common.Helpers;
|
||||
using NSubstitute;
|
||||
using Xunit;
|
||||
|
||||
namespace Bit.Commercial.Core.Test.SecretManagerFeatures.AccessPolicies;
|
||||
|
||||
[SutProviderCustomize]
|
||||
public class UpdateAccessPolicyCommandTests
|
||||
{
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task UpdateAsync_Throws_NotFoundException(Guid data, bool read, bool write,
|
||||
SutProvider<UpdateAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
var exception =
|
||||
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.UpdateAsync(data, read, write));
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().ReplaceAsync(default);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task UpdateAsync_Calls_Replace(Guid data, bool read, bool write,
|
||||
SutProvider<UpdateAccessPolicyCommand> sutProvider)
|
||||
{
|
||||
var existingPolicy = new UserProjectAccessPolicy { Id = data, Read = true, Write = true };
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data).Returns(existingPolicy);
|
||||
var result = await sutProvider.Sut.UpdateAsync(data, read, write);
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1).ReplaceAsync(existingPolicy);
|
||||
|
||||
AssertHelper.AssertRecent(result.RevisionDate);
|
||||
Assert.Equal(read, result.Read);
|
||||
Assert.Equal(write, result.Write);
|
||||
}
|
||||
}
|
69
src/Api/Controllers/AccessPoliciesController.cs
Normal file
69
src/Api/Controllers/AccessPoliciesController.cs
Normal file
@ -0,0 +1,69 @@
|
||||
using Bit.Api.SecretManagerFeatures.Models.Request;
|
||||
using Bit.Api.SecretManagerFeatures.Models.Response;
|
||||
using Bit.Api.Utilities;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.SecretManagerFeatures.AccessPolicies.Interfaces;
|
||||
using Microsoft.AspNetCore.Mvc;
|
||||
|
||||
namespace Bit.Api.Controllers;
|
||||
|
||||
[SecretsManager]
|
||||
[Route("access-policies")]
|
||||
public class AccessPoliciesController : Controller
|
||||
{
|
||||
private readonly IAccessPolicyRepository _accessPolicyRepository;
|
||||
private readonly ICreateAccessPoliciesCommand _createAccessPoliciesCommand;
|
||||
private readonly IDeleteAccessPolicyCommand _deleteAccessPolicyCommand;
|
||||
private readonly IUpdateAccessPolicyCommand _updateAccessPolicyCommand;
|
||||
|
||||
public AccessPoliciesController(
|
||||
IAccessPolicyRepository accessPolicyRepository,
|
||||
ICreateAccessPoliciesCommand createAccessPoliciesCommand,
|
||||
IDeleteAccessPolicyCommand deleteAccessPolicyCommand,
|
||||
IUpdateAccessPolicyCommand updateAccessPolicyCommand)
|
||||
{
|
||||
_accessPolicyRepository = accessPolicyRepository;
|
||||
_createAccessPoliciesCommand = createAccessPoliciesCommand;
|
||||
_deleteAccessPolicyCommand = deleteAccessPolicyCommand;
|
||||
_updateAccessPolicyCommand = updateAccessPolicyCommand;
|
||||
}
|
||||
|
||||
[HttpPost("/projects/{id}/access-policies")]
|
||||
public async Task<ProjectAccessPoliciesResponseModel> CreateProjectAccessPoliciesAsync([FromRoute] Guid id,
|
||||
[FromBody] AccessPoliciesCreateRequest request)
|
||||
{
|
||||
var policies = request.ToBaseAccessPoliciesForProject(id);
|
||||
var results = await _createAccessPoliciesCommand.CreateAsync(policies);
|
||||
return new ProjectAccessPoliciesResponseModel(results);
|
||||
}
|
||||
|
||||
[HttpGet("/projects/{id}/access-policies")]
|
||||
public async Task<ProjectAccessPoliciesResponseModel> GetProjectAccessPoliciesAsync([FromRoute] Guid id)
|
||||
{
|
||||
var results = await _accessPolicyRepository.GetManyByProjectId(id);
|
||||
return new ProjectAccessPoliciesResponseModel(results);
|
||||
}
|
||||
|
||||
[HttpPut("{id}")]
|
||||
public async Task<BaseAccessPolicyResponseModel> UpdateAccessPolicyAsync([FromRoute] Guid id,
|
||||
[FromBody] AccessPolicyUpdateRequest request)
|
||||
{
|
||||
var result = await _updateAccessPolicyCommand.UpdateAsync(id, request.Read, request.Write);
|
||||
|
||||
return result switch
|
||||
{
|
||||
UserProjectAccessPolicy accessPolicy => new UserProjectAccessPolicyResponseModel(accessPolicy),
|
||||
GroupProjectAccessPolicy accessPolicy => new GroupProjectAccessPolicyResponseModel(accessPolicy),
|
||||
ServiceAccountProjectAccessPolicy accessPolicy => new ServiceAccountProjectAccessPolicyResponseModel(
|
||||
accessPolicy),
|
||||
_ => throw new ArgumentException("Unsupported access policy type provided.")
|
||||
};
|
||||
}
|
||||
|
||||
[HttpDelete("{id}")]
|
||||
public async Task DeleteAccessPolicyAsync([FromRoute] Guid id)
|
||||
{
|
||||
await _deleteAccessPolicyCommand.DeleteAsync(id);
|
||||
}
|
||||
}
|
@ -0,0 +1,77 @@
|
||||
#nullable enable
|
||||
using System.ComponentModel.DataAnnotations;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Exceptions;
|
||||
|
||||
namespace Bit.Api.SecretManagerFeatures.Models.Request;
|
||||
|
||||
public class AccessPoliciesCreateRequest
|
||||
{
|
||||
public IEnumerable<AccessPolicyRequest>? UserAccessPolicyRequests { get; set; }
|
||||
|
||||
public IEnumerable<AccessPolicyRequest>? GroupAccessPolicyRequests { get; set; }
|
||||
|
||||
public IEnumerable<AccessPolicyRequest>? ServiceAccountAccessPolicyRequests { get; set; }
|
||||
|
||||
public List<BaseAccessPolicy> ToBaseAccessPoliciesForProject(Guid projectId)
|
||||
{
|
||||
if (UserAccessPolicyRequests == null && GroupAccessPolicyRequests == null && ServiceAccountAccessPolicyRequests == null)
|
||||
{
|
||||
throw new BadRequestException("No creation requests provided.");
|
||||
}
|
||||
|
||||
var userAccessPolicies = UserAccessPolicyRequests?
|
||||
.Select(x => x.ToUserProjectAccessPolicy(projectId)).ToList();
|
||||
|
||||
var groupAccessPolicies = GroupAccessPolicyRequests?
|
||||
.Select(x => x.ToGroupProjectAccessPolicy(projectId)).ToList();
|
||||
|
||||
var serviceAccountAccessPolicies = ServiceAccountAccessPolicyRequests?
|
||||
.Select(x => x.ToServiceAccountProjectAccessPolicy(projectId)).ToList();
|
||||
|
||||
var policies = new List<BaseAccessPolicy>();
|
||||
if (userAccessPolicies != null) { policies.AddRange(userAccessPolicies); }
|
||||
if (groupAccessPolicies != null) { policies.AddRange(groupAccessPolicies); }
|
||||
if (serviceAccountAccessPolicies != null) { policies.AddRange(serviceAccountAccessPolicies); }
|
||||
return policies;
|
||||
}
|
||||
}
|
||||
|
||||
public class AccessPolicyRequest
|
||||
{
|
||||
[Required]
|
||||
public Guid GranteeId { get; set; }
|
||||
|
||||
[Required]
|
||||
public bool Read { get; set; }
|
||||
|
||||
[Required]
|
||||
public bool Write { get; set; }
|
||||
|
||||
public UserProjectAccessPolicy ToUserProjectAccessPolicy(Guid projectId) =>
|
||||
new()
|
||||
{
|
||||
OrganizationUserId = GranteeId,
|
||||
GrantedProjectId = projectId,
|
||||
Read = Read,
|
||||
Write = Write
|
||||
};
|
||||
|
||||
public GroupProjectAccessPolicy ToGroupProjectAccessPolicy(Guid projectId) =>
|
||||
new()
|
||||
{
|
||||
GroupId = GranteeId,
|
||||
GrantedProjectId = projectId,
|
||||
Read = Read,
|
||||
Write = Write
|
||||
};
|
||||
|
||||
public ServiceAccountProjectAccessPolicy ToServiceAccountProjectAccessPolicy(Guid projectId) =>
|
||||
new()
|
||||
{
|
||||
ServiceAccountId = GranteeId,
|
||||
GrantedProjectId = projectId,
|
||||
Read = Read,
|
||||
Write = Write
|
||||
};
|
||||
}
|
@ -0,0 +1,12 @@
|
||||
using System.ComponentModel.DataAnnotations;
|
||||
|
||||
namespace Bit.Api.SecretManagerFeatures.Models.Request;
|
||||
|
||||
public class AccessPolicyUpdateRequest
|
||||
{
|
||||
[Required]
|
||||
public bool Read { get; set; }
|
||||
|
||||
[Required]
|
||||
public bool Write { get; set; }
|
||||
}
|
@ -0,0 +1,128 @@
|
||||
#nullable enable
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Models.Api;
|
||||
|
||||
namespace Bit.Api.SecretManagerFeatures.Models.Response;
|
||||
|
||||
public abstract class BaseAccessPolicyResponseModel : ResponseModel
|
||||
{
|
||||
protected BaseAccessPolicyResponseModel(BaseAccessPolicy baseAccessPolicy, string obj) : base(obj)
|
||||
{
|
||||
Id = baseAccessPolicy.Id;
|
||||
Read = baseAccessPolicy.Read;
|
||||
Write = baseAccessPolicy.Write;
|
||||
CreationDate = baseAccessPolicy.CreationDate;
|
||||
RevisionDate = baseAccessPolicy.RevisionDate;
|
||||
}
|
||||
|
||||
public Guid Id { get; set; }
|
||||
public bool Read { get; set; }
|
||||
public bool Write { get; set; }
|
||||
public DateTime CreationDate { get; set; }
|
||||
public DateTime RevisionDate { get; set; }
|
||||
}
|
||||
|
||||
public class UserProjectAccessPolicyResponseModel : BaseAccessPolicyResponseModel
|
||||
{
|
||||
private const string _objectName = "userProjectAccessPolicy";
|
||||
|
||||
public UserProjectAccessPolicyResponseModel(UserProjectAccessPolicy accessPolicy) : base(accessPolicy, _objectName)
|
||||
{
|
||||
OrganizationUserId = accessPolicy.OrganizationUserId;
|
||||
GrantedProjectId = accessPolicy.GrantedProjectId;
|
||||
OrganizationUserName = accessPolicy.User?.Name;
|
||||
}
|
||||
|
||||
public UserProjectAccessPolicyResponseModel() : base(new UserProjectAccessPolicy(), _objectName)
|
||||
{
|
||||
}
|
||||
|
||||
public Guid? OrganizationUserId { get; set; }
|
||||
public string? OrganizationUserName { get; set; }
|
||||
public Guid? GrantedProjectId { get; set; }
|
||||
}
|
||||
|
||||
public class UserServiceAccountAccessPolicyResponseModel : BaseAccessPolicyResponseModel
|
||||
{
|
||||
private const string _objectName = "userServiceAccountAccessPolicy";
|
||||
|
||||
public UserServiceAccountAccessPolicyResponseModel(UserServiceAccountAccessPolicy accessPolicy)
|
||||
: base(accessPolicy, _objectName)
|
||||
{
|
||||
OrganizationUserId = accessPolicy.OrganizationUserId;
|
||||
GrantedServiceAccountId = accessPolicy.GrantedServiceAccountId;
|
||||
OrganizationUserName = accessPolicy.User?.Name;
|
||||
}
|
||||
|
||||
public UserServiceAccountAccessPolicyResponseModel() : base(new UserServiceAccountAccessPolicy(), _objectName)
|
||||
{
|
||||
}
|
||||
|
||||
public Guid? OrganizationUserId { get; set; }
|
||||
public string? OrganizationUserName { get; set; }
|
||||
public Guid? GrantedServiceAccountId { get; set; }
|
||||
}
|
||||
|
||||
public class GroupProjectAccessPolicyResponseModel : BaseAccessPolicyResponseModel
|
||||
{
|
||||
private const string _objectName = "groupProjectAccessPolicy";
|
||||
|
||||
public GroupProjectAccessPolicyResponseModel(GroupProjectAccessPolicy accessPolicy)
|
||||
: base(accessPolicy, _objectName)
|
||||
{
|
||||
GroupId = accessPolicy.GroupId;
|
||||
GrantedProjectId = accessPolicy.GrantedProjectId;
|
||||
GroupName = accessPolicy.Group?.Name;
|
||||
}
|
||||
|
||||
public GroupProjectAccessPolicyResponseModel() : base(new GroupProjectAccessPolicy(), _objectName)
|
||||
{
|
||||
}
|
||||
|
||||
public Guid? GroupId { get; set; }
|
||||
public string? GroupName { get; set; }
|
||||
public Guid? GrantedProjectId { get; set; }
|
||||
}
|
||||
|
||||
public class GroupServiceAccountAccessPolicyResponseModel : BaseAccessPolicyResponseModel
|
||||
{
|
||||
private const string _objectName = "groupServiceAccountAccessPolicy";
|
||||
|
||||
public GroupServiceAccountAccessPolicyResponseModel(GroupServiceAccountAccessPolicy accessPolicy)
|
||||
: base(accessPolicy, _objectName)
|
||||
{
|
||||
GroupId = accessPolicy.GroupId;
|
||||
GroupName = accessPolicy.Group?.Name;
|
||||
GrantedServiceAccountId = accessPolicy.GrantedServiceAccountId;
|
||||
}
|
||||
|
||||
public GroupServiceAccountAccessPolicyResponseModel() : base(new GroupServiceAccountAccessPolicy(), _objectName)
|
||||
{
|
||||
}
|
||||
|
||||
public Guid? GroupId { get; set; }
|
||||
public string? GroupName { get; set; }
|
||||
public Guid? GrantedServiceAccountId { get; set; }
|
||||
}
|
||||
|
||||
public class ServiceAccountProjectAccessPolicyResponseModel : BaseAccessPolicyResponseModel
|
||||
{
|
||||
private const string _objectName = "serviceAccountProjectAccessPolicy";
|
||||
|
||||
public ServiceAccountProjectAccessPolicyResponseModel(ServiceAccountProjectAccessPolicy accessPolicy)
|
||||
: base(accessPolicy, _objectName)
|
||||
{
|
||||
ServiceAccountId = accessPolicy.ServiceAccountId;
|
||||
GrantedProjectId = accessPolicy.GrantedProjectId;
|
||||
ServiceAccountName = accessPolicy.ServiceAccount?.Name;
|
||||
}
|
||||
|
||||
public ServiceAccountProjectAccessPolicyResponseModel()
|
||||
: base(new ServiceAccountProjectAccessPolicy(), _objectName)
|
||||
{
|
||||
}
|
||||
|
||||
public Guid? ServiceAccountId { get; set; }
|
||||
public string? ServiceAccountName { get; set; }
|
||||
public Guid? GrantedProjectId { get; set; }
|
||||
}
|
@ -0,0 +1,43 @@
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Models.Api;
|
||||
|
||||
namespace Bit.Api.SecretManagerFeatures.Models.Response;
|
||||
|
||||
public class ProjectAccessPoliciesResponseModel : ResponseModel
|
||||
{
|
||||
private const string _objectName = "projectAccessPolicies";
|
||||
|
||||
public ProjectAccessPoliciesResponseModel(IEnumerable<BaseAccessPolicy> baseAccessPolicies)
|
||||
: base(_objectName)
|
||||
{
|
||||
if (baseAccessPolicies == null)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
foreach (var baseAccessPolicy in baseAccessPolicies)
|
||||
switch (baseAccessPolicy)
|
||||
{
|
||||
case UserProjectAccessPolicy accessPolicy:
|
||||
UserAccessPolicies.Add(new UserProjectAccessPolicyResponseModel(accessPolicy));
|
||||
break;
|
||||
case GroupProjectAccessPolicy accessPolicy:
|
||||
GroupAccessPolicies.Add(new GroupProjectAccessPolicyResponseModel(accessPolicy));
|
||||
break;
|
||||
case ServiceAccountProjectAccessPolicy accessPolicy:
|
||||
ServiceAccountAccessPolicies.Add(
|
||||
new ServiceAccountProjectAccessPolicyResponseModel(accessPolicy));
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
public ProjectAccessPoliciesResponseModel() : base(_objectName)
|
||||
{
|
||||
}
|
||||
|
||||
public List<UserProjectAccessPolicyResponseModel> UserAccessPolicies { get; set; } = new();
|
||||
|
||||
public List<GroupProjectAccessPolicyResponseModel> GroupAccessPolicies { get; set; } = new();
|
||||
|
||||
public List<ServiceAccountProjectAccessPolicyResponseModel> ServiceAccountAccessPolicies { get; set; } = new();
|
||||
}
|
@ -1,33 +1,8 @@
|
||||
using Bit.Core.Utilities;
|
||||
#nullable enable
|
||||
using Bit.Core.Utilities;
|
||||
|
||||
namespace Bit.Core.Entities;
|
||||
|
||||
public class AccessPolicy : ITableObject<Guid>
|
||||
{
|
||||
public Guid Id { get; set; }
|
||||
|
||||
// Object to grant access from
|
||||
public Guid? OrganizationUserId { get; set; }
|
||||
public Guid? GroupId { get; set; }
|
||||
public Guid? ServiceAccountId { get; set; }
|
||||
|
||||
// Object to grant access to
|
||||
public Guid? GrantedProjectId { get; set; }
|
||||
public Guid? GrantedServiceAccountId { get; set; }
|
||||
|
||||
// Access
|
||||
public bool Read { get; set; }
|
||||
public bool Write { get; set; }
|
||||
|
||||
public DateTime CreationDate { get; set; }
|
||||
public DateTime RevisionDate { get; set; }
|
||||
|
||||
public void SetNewId()
|
||||
{
|
||||
Id = CoreHelpers.GenerateComb();
|
||||
}
|
||||
}
|
||||
|
||||
public abstract class BaseAccessPolicy
|
||||
{
|
||||
public Guid Id { get; set; }
|
||||
@ -36,8 +11,8 @@ public abstract class BaseAccessPolicy
|
||||
public bool Read { get; set; }
|
||||
public bool Write { get; set; }
|
||||
|
||||
public DateTime CreationDate { get; set; }
|
||||
public DateTime RevisionDate { get; set; }
|
||||
public DateTime CreationDate { get; set; } = DateTime.UtcNow;
|
||||
public DateTime RevisionDate { get; set; } = DateTime.UtcNow;
|
||||
|
||||
public void SetNewId()
|
||||
{
|
||||
@ -49,28 +24,33 @@ public class UserProjectAccessPolicy : BaseAccessPolicy
|
||||
{
|
||||
public Guid? OrganizationUserId { get; set; }
|
||||
public Guid? GrantedProjectId { get; set; }
|
||||
public User? User { get; set; }
|
||||
}
|
||||
|
||||
public class UserServiceAccountAccessPolicy : BaseAccessPolicy
|
||||
{
|
||||
public Guid? OrganizationUserId { get; set; }
|
||||
public Guid? GrantedServiceAccountId { get; set; }
|
||||
public User? User { get; set; }
|
||||
}
|
||||
|
||||
public class GroupProjectAccessPolicy : BaseAccessPolicy
|
||||
{
|
||||
public Guid? GroupId { get; set; }
|
||||
public Guid? GrantedProjectId { get; set; }
|
||||
public Group? Group { get; set; }
|
||||
}
|
||||
|
||||
public class GroupServiceAccountAccessPolicy : BaseAccessPolicy
|
||||
{
|
||||
public Guid? GroupId { get; set; }
|
||||
public Guid? GrantedServiceAccountId { get; set; }
|
||||
public Group? Group { get; set; }
|
||||
}
|
||||
|
||||
public class ServiceAccountProjectAccessPolicy : BaseAccessPolicy
|
||||
{
|
||||
public Guid? ServiceAccountId { get; set; }
|
||||
public Guid? GrantedProjectId { get; set; }
|
||||
public ServiceAccount? ServiceAccount { get; set; }
|
||||
}
|
||||
|
@ -1,7 +1,14 @@
|
||||
using Bit.Core.Entities;
|
||||
#nullable enable
|
||||
using Bit.Core.Entities;
|
||||
|
||||
namespace Bit.Core.Repositories;
|
||||
|
||||
public interface IAccessPolicyRepository : IRepository<AccessPolicy, Guid>
|
||||
public interface IAccessPolicyRepository
|
||||
{
|
||||
Task<List<BaseAccessPolicy>> CreateManyAsync(List<BaseAccessPolicy> baseAccessPolicies);
|
||||
Task<bool> AccessPolicyExists(BaseAccessPolicy baseAccessPolicy);
|
||||
Task<BaseAccessPolicy?> GetByIdAsync(Guid id);
|
||||
Task<IEnumerable<BaseAccessPolicy>?> GetManyByProjectId(Guid id);
|
||||
Task ReplaceAsync(BaseAccessPolicy baseAccessPolicy);
|
||||
Task DeleteAsync(Guid id);
|
||||
}
|
||||
|
@ -0,0 +1,8 @@
|
||||
using Bit.Core.Entities;
|
||||
|
||||
namespace Bit.Core.SecretManagerFeatures.AccessPolicies.Interfaces;
|
||||
|
||||
public interface ICreateAccessPoliciesCommand
|
||||
{
|
||||
Task<List<BaseAccessPolicy>> CreateAsync(List<BaseAccessPolicy> accessPolicies);
|
||||
}
|
@ -0,0 +1,6 @@
|
||||
namespace Bit.Core.SecretManagerFeatures.AccessPolicies.Interfaces;
|
||||
|
||||
public interface IDeleteAccessPolicyCommand
|
||||
{
|
||||
Task DeleteAsync(Guid id);
|
||||
}
|
@ -0,0 +1,8 @@
|
||||
using Bit.Core.Entities;
|
||||
|
||||
namespace Bit.Core.SecretManagerFeatures.AccessPolicies.Interfaces;
|
||||
|
||||
public interface IUpdateAccessPolicyCommand
|
||||
{
|
||||
public Task<BaseAccessPolicy> UpdateAsync(Guid id, bool read, bool write);
|
||||
}
|
@ -11,7 +11,10 @@ public class AccessPolicyMapperProfile : Profile
|
||||
{
|
||||
public AccessPolicyMapperProfile()
|
||||
{
|
||||
CreateMap<Core.Entities.AccessPolicy, AccessPolicy>().ReverseMap();
|
||||
CreateMap<Core.Entities.UserProjectAccessPolicy, UserProjectAccessPolicy>().ReverseMap()
|
||||
.ForMember(dst => dst.User, opt => opt.MapFrom(src => src.OrganizationUser.User));
|
||||
CreateMap<Core.Entities.GroupProjectAccessPolicy, GroupProjectAccessPolicy>().ReverseMap();
|
||||
CreateMap<Core.Entities.ServiceAccountProjectAccessPolicy, ServiceAccountProjectAccessPolicy>().ReverseMap();
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -1,27 +0,0 @@
|
||||
using AutoMapper;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Infrastructure.EntityFramework.Models;
|
||||
using Microsoft.EntityFrameworkCore;
|
||||
using Microsoft.Extensions.DependencyInjection;
|
||||
using CoreAccessPolicy = Bit.Core.Entities.AccessPolicy;
|
||||
|
||||
namespace Bit.Infrastructure.EntityFramework.Repositories;
|
||||
|
||||
public class AccessPolicyRepository : IAccessPolicyRepository
|
||||
{
|
||||
public AccessPolicyRepository(IServiceScopeFactory serviceScopeFactory, IMapper mapper)
|
||||
{
|
||||
}
|
||||
|
||||
protected Func<DatabaseContext, DbSet<AccessPolicy>> GetDbSet { get; private set; }
|
||||
|
||||
public Task<CoreAccessPolicy> GetByIdAsync(Guid id) => throw new NotImplementedException();
|
||||
|
||||
public Task<CoreAccessPolicy> CreateAsync(CoreAccessPolicy obj) => throw new NotImplementedException();
|
||||
|
||||
public Task ReplaceAsync(CoreAccessPolicy obj) => throw new NotImplementedException();
|
||||
|
||||
public Task UpsertAsync(CoreAccessPolicy obj) => throw new NotImplementedException();
|
||||
|
||||
public Task DeleteAsync(CoreAccessPolicy obj) => throw new NotImplementedException();
|
||||
}
|
@ -17,6 +17,9 @@ public class DatabaseContext : DbContext
|
||||
{ }
|
||||
|
||||
public DbSet<AccessPolicy> AccessPolicies { get; set; }
|
||||
public DbSet<UserProjectAccessPolicy> UserProjectAccessPolicy { get; set; }
|
||||
public DbSet<GroupProjectAccessPolicy> GroupProjectAccessPolicy { get; set; }
|
||||
public DbSet<ServiceAccountProjectAccessPolicy> ServiceAccountProjectAccessPolicy { get; set; }
|
||||
public DbSet<ApiKey> ApiKeys { get; set; }
|
||||
public DbSet<Cipher> Ciphers { get; set; }
|
||||
public DbSet<Collection> Collections { get; set; }
|
||||
|
@ -0,0 +1,185 @@
|
||||
using System.Net.Http.Headers;
|
||||
using Bit.Api.IntegrationTest.Factories;
|
||||
using Bit.Api.IntegrationTest.Helpers;
|
||||
using Bit.Api.SecretManagerFeatures.Models.Request;
|
||||
using Bit.Api.SecretManagerFeatures.Models.Response;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Test.Common.Helpers;
|
||||
using Xunit;
|
||||
|
||||
namespace Bit.Api.IntegrationTest.Controllers;
|
||||
|
||||
public class AccessPoliciesControllerTest : IClassFixture<ApiApplicationFactory>, IAsyncLifetime
|
||||
{
|
||||
private readonly IAccessPolicyRepository _accessPolicyRepository;
|
||||
|
||||
private readonly HttpClient _client;
|
||||
private readonly ApiApplicationFactory _factory;
|
||||
|
||||
private const string _mockEncryptedString = "2.3Uk+WNBIoU5xzmVFNcoWzz==|1MsPIYuRfdOHfu/0uY6H2Q==|/98sp4wb6pHP1VTZ9JcNCYgQjEUMFPlqJgCwRk1YXKg=";
|
||||
|
||||
private readonly IProjectRepository _projectRepository;
|
||||
private readonly IServiceAccountRepository _serviceAccountRepository;
|
||||
private Organization _organization = null!;
|
||||
|
||||
public AccessPoliciesControllerTest(ApiApplicationFactory factory)
|
||||
{
|
||||
_factory = factory;
|
||||
_client = _factory.CreateClient();
|
||||
_accessPolicyRepository = _factory.GetService<IAccessPolicyRepository>();
|
||||
_serviceAccountRepository = _factory.GetService<IServiceAccountRepository>();
|
||||
_projectRepository = _factory.GetService<IProjectRepository>();
|
||||
}
|
||||
|
||||
public async Task InitializeAsync()
|
||||
{
|
||||
var ownerEmail = $"integration-test{Guid.NewGuid()}@bitwarden.com";
|
||||
var tokens = await _factory.LoginWithNewAccount(ownerEmail);
|
||||
var (organization, _) =
|
||||
await OrganizationTestHelpers.SignUpAsync(_factory, ownerEmail: ownerEmail, billingEmail: ownerEmail);
|
||||
_client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokens.Token);
|
||||
_organization = organization;
|
||||
}
|
||||
|
||||
public Task DisposeAsync() => Task.CompletedTask;
|
||||
|
||||
[Fact]
|
||||
public async Task CreateProjectAccessPolicies()
|
||||
{
|
||||
var initialProject = await _projectRepository.CreateAsync(new Project
|
||||
{
|
||||
OrganizationId = _organization.Id,
|
||||
Name = _mockEncryptedString
|
||||
});
|
||||
|
||||
var initialServiceAccount = await _serviceAccountRepository.CreateAsync(new ServiceAccount
|
||||
{
|
||||
OrganizationId = _organization.Id,
|
||||
Name = _mockEncryptedString
|
||||
});
|
||||
|
||||
var request = new AccessPoliciesCreateRequest
|
||||
{
|
||||
ServiceAccountAccessPolicyRequests = new List<AccessPolicyRequest>
|
||||
{
|
||||
new() { GranteeId = initialServiceAccount.Id, Read = true, Write = true }
|
||||
}
|
||||
};
|
||||
|
||||
var response = await _client.PostAsJsonAsync($"/projects/{initialProject.Id}/access-policies", request);
|
||||
response.EnsureSuccessStatusCode();
|
||||
|
||||
var result = await response.Content.ReadFromJsonAsync<ProjectAccessPoliciesResponseModel>();
|
||||
|
||||
Assert.NotNull(result);
|
||||
Assert.Equal(initialServiceAccount.Id, result!.ServiceAccountAccessPolicies.First().ServiceAccountId);
|
||||
Assert.True(result.ServiceAccountAccessPolicies.First().Read);
|
||||
Assert.True(result.ServiceAccountAccessPolicies.First().Write);
|
||||
AssertHelper.AssertRecent(result.ServiceAccountAccessPolicies.First().RevisionDate);
|
||||
AssertHelper.AssertRecent(result.ServiceAccountAccessPolicies.First().CreationDate);
|
||||
|
||||
var createdAccessPolicy =
|
||||
await _accessPolicyRepository.GetByIdAsync(result.ServiceAccountAccessPolicies.First().Id);
|
||||
Assert.NotNull(createdAccessPolicy);
|
||||
Assert.Equal(result.ServiceAccountAccessPolicies.First().Read, createdAccessPolicy!.Read);
|
||||
Assert.Equal(result.ServiceAccountAccessPolicies.First().Write, createdAccessPolicy.Write);
|
||||
Assert.Equal(result.ServiceAccountAccessPolicies.First().Id, createdAccessPolicy.Id);
|
||||
AssertHelper.AssertRecent(createdAccessPolicy.CreationDate);
|
||||
AssertHelper.AssertRecent(createdAccessPolicy.RevisionDate);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task UpdateAccessPolicy()
|
||||
{
|
||||
var initData = await SetupAccessPolicyRequest();
|
||||
|
||||
const bool expectedRead = true;
|
||||
const bool expectedWrite = false;
|
||||
var request = new AccessPolicyUpdateRequest { Read = expectedRead, Write = expectedWrite };
|
||||
|
||||
var response = await _client.PutAsJsonAsync($"/access-policies/{initData.InitialAccessPolicyId}", request);
|
||||
response.EnsureSuccessStatusCode();
|
||||
|
||||
var result = await response.Content.ReadFromJsonAsync<ServiceAccountProjectAccessPolicyResponseModel>();
|
||||
|
||||
Assert.NotNull(result);
|
||||
Assert.Equal(expectedRead, result!.Read);
|
||||
Assert.Equal(expectedWrite, result.Write);
|
||||
AssertHelper.AssertRecent(result.RevisionDate);
|
||||
|
||||
var updatedAccessPolicy = await _accessPolicyRepository.GetByIdAsync(result.Id);
|
||||
Assert.NotNull(updatedAccessPolicy);
|
||||
Assert.Equal(expectedRead, updatedAccessPolicy!.Read);
|
||||
Assert.Equal(expectedWrite, updatedAccessPolicy.Write);
|
||||
AssertHelper.AssertRecent(updatedAccessPolicy.RevisionDate);
|
||||
}
|
||||
|
||||
|
||||
[Fact]
|
||||
public async Task DeleteAccessPolicy()
|
||||
{
|
||||
var initData = await SetupAccessPolicyRequest();
|
||||
|
||||
var response = await _client.DeleteAsync($"/access-policies/{initData.InitialAccessPolicyId}");
|
||||
response.EnsureSuccessStatusCode();
|
||||
|
||||
var test = await _accessPolicyRepository.GetByIdAsync(initData.InitialAccessPolicyId);
|
||||
Assert.Null(test);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task GetProjectAccessPolicies()
|
||||
{
|
||||
var initData = await SetupAccessPolicyRequest();
|
||||
|
||||
var response = await _client.GetAsync($"/projects/{initData.InitialProjectId}/access-policies");
|
||||
response.EnsureSuccessStatusCode();
|
||||
|
||||
var result = await response.Content.ReadFromJsonAsync<ProjectAccessPoliciesResponseModel>();
|
||||
|
||||
Assert.NotNull(result?.ServiceAccountAccessPolicies);
|
||||
Assert.Single(result!.ServiceAccountAccessPolicies);
|
||||
}
|
||||
|
||||
private async Task<RequestSetupData> SetupAccessPolicyRequest()
|
||||
{
|
||||
var initialProject = await _projectRepository.CreateAsync(new Project
|
||||
{
|
||||
OrganizationId = _organization.Id,
|
||||
Name = _mockEncryptedString,
|
||||
});
|
||||
|
||||
var initialServiceAccount = await _serviceAccountRepository.CreateAsync(new ServiceAccount
|
||||
{
|
||||
OrganizationId = _organization.Id,
|
||||
Name = _mockEncryptedString,
|
||||
});
|
||||
|
||||
var initialAccessPolicy = await _accessPolicyRepository.CreateManyAsync(
|
||||
new List<BaseAccessPolicy>
|
||||
{
|
||||
new ServiceAccountProjectAccessPolicy
|
||||
{
|
||||
Read = true,
|
||||
Write = true,
|
||||
ServiceAccountId = initialServiceAccount.Id,
|
||||
GrantedProjectId = initialProject.Id,
|
||||
}
|
||||
});
|
||||
|
||||
return new RequestSetupData
|
||||
{
|
||||
InitialProjectId = initialProject.Id,
|
||||
InitialServiceAccountId = initialServiceAccount.Id,
|
||||
InitialAccessPolicyId = initialAccessPolicy.First().Id,
|
||||
};
|
||||
}
|
||||
|
||||
private class RequestSetupData
|
||||
{
|
||||
public Guid InitialProjectId { get; set; }
|
||||
public Guid InitialAccessPolicyId { get; set; }
|
||||
public Guid InitialServiceAccountId { get; set; }
|
||||
}
|
||||
}
|
87
test/Api.Test/Controllers/AccessPoliciesControllerTests.cs
Normal file
87
test/Api.Test/Controllers/AccessPoliciesControllerTests.cs
Normal file
@ -0,0 +1,87 @@
|
||||
using Bit.Api.Controllers;
|
||||
using Bit.Api.SecretManagerFeatures.Models.Request;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.SecretManagerFeatures.AccessPolicies.Interfaces;
|
||||
using Bit.Test.Common.AutoFixture;
|
||||
using Bit.Test.Common.AutoFixture.Attributes;
|
||||
using Bit.Test.Common.Helpers;
|
||||
using NSubstitute;
|
||||
using NSubstitute.ReturnsExtensions;
|
||||
using Xunit;
|
||||
|
||||
namespace Bit.Api.Test.Controllers;
|
||||
|
||||
[ControllerCustomize(typeof(AccessPoliciesController))]
|
||||
[SutProviderCustomize]
|
||||
[JsonDocumentCustomize]
|
||||
public class AccessPoliciesControllerTests
|
||||
{
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async void GetAccessPoliciesByProject_ReturnsEmptyList(SutProvider<AccessPoliciesController> sutProvider,
|
||||
Guid id)
|
||||
{
|
||||
var result = await sutProvider.Sut.GetProjectAccessPoliciesAsync(id);
|
||||
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1)
|
||||
.GetManyByProjectId(Arg.Is(AssertHelper.AssertPropertyEqual(id)));
|
||||
|
||||
Assert.Empty(result.GroupAccessPolicies);
|
||||
Assert.Empty(result.UserAccessPolicies);
|
||||
Assert.Empty(result.ServiceAccountAccessPolicies);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async void GetAccessPoliciesByProject_Success(SutProvider<AccessPoliciesController> sutProvider, Guid id,
|
||||
UserProjectAccessPolicy resultAccessPolicy)
|
||||
{
|
||||
sutProvider.GetDependency<IAccessPolicyRepository>().GetManyByProjectId(default)
|
||||
.ReturnsForAnyArgs(new List<BaseAccessPolicy> { resultAccessPolicy });
|
||||
|
||||
var result = await sutProvider.Sut.GetProjectAccessPoliciesAsync(id);
|
||||
|
||||
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1)
|
||||
.GetManyByProjectId(Arg.Is(AssertHelper.AssertPropertyEqual(id)));
|
||||
|
||||
Assert.Empty(result.GroupAccessPolicies);
|
||||
Assert.NotEmpty(result.UserAccessPolicies);
|
||||
Assert.Empty(result.ServiceAccountAccessPolicies);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async void CreateAccessPolicies_Success(SutProvider<AccessPoliciesController> sutProvider, Guid id,
|
||||
UserProjectAccessPolicy data, AccessPoliciesCreateRequest request)
|
||||
{
|
||||
sutProvider.GetDependency<ICreateAccessPoliciesCommand>().CreateAsync(default)
|
||||
.ReturnsForAnyArgs(new List<BaseAccessPolicy> { data });
|
||||
var result = await sutProvider.Sut.CreateProjectAccessPoliciesAsync(id, request);
|
||||
await sutProvider.GetDependency<ICreateAccessPoliciesCommand>().Received(1)
|
||||
.CreateAsync(Arg.Any<List<BaseAccessPolicy>>());
|
||||
}
|
||||
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async void UpdateAccessPolicies_Success(SutProvider<AccessPoliciesController> sutProvider, Guid id,
|
||||
UserProjectAccessPolicy data, AccessPolicyUpdateRequest request)
|
||||
{
|
||||
sutProvider.GetDependency<IUpdateAccessPolicyCommand>().UpdateAsync(default, default, default)
|
||||
.ReturnsForAnyArgs(data);
|
||||
var result = await sutProvider.Sut.UpdateAccessPolicyAsync(id, request);
|
||||
await sutProvider.GetDependency<IUpdateAccessPolicyCommand>().Received(1)
|
||||
.UpdateAsync(Arg.Any<Guid>(), Arg.Is(request.Read), Arg.Is(request.Write));
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async void DeleteAccessPolicies_Success(SutProvider<AccessPoliciesController> sutProvider, Guid id)
|
||||
{
|
||||
sutProvider.GetDependency<IDeleteAccessPolicyCommand>().DeleteAsync(default).ReturnsNull();
|
||||
await sutProvider.Sut.DeleteAccessPolicyAsync(id);
|
||||
await sutProvider.GetDependency<IDeleteAccessPolicyCommand>().Received(1)
|
||||
.DeleteAsync(Arg.Any<Guid>());
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user