Upstream/bitwarden-server
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-01-11 20:10:38 +01:00
Code Issues Projects Releases Wiki Activity

[SM-390] Project Access Policies (#2507)

Browse Source 
The purpose of this PR is to create server endpoints for creating, reading, updating, and deleting access policies for projects.
This commit is contained in:
Thomas Avery 2023-01-19 17:31:19 -06:00 committed by GitHub
parent ae647bbf44
commit 53ba2eeb18
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
24 changed files with 1133 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
bitwarden_license/src/Commercial.Core/SecretManagerFeatures/AccessPolicies/CreateAccessPoliciesCommand.cs Normal file
View File

@ -0,0 +1,45 @@
using Bit.Core.Entities;
using Bit.Core.Exceptions;
using Bit.Core.Repositories;
using Bit.Core.SecretManagerFeatures.AccessPolicies.Interfaces;
namespace Bit.Commercial.Core.SecretManagerFeatures.AccessPolicies;
public class CreateAccessPoliciesCommand : ICreateAccessPoliciesCommand
{
private readonly IAccessPolicyRepository _accessPolicyRepository;
public CreateAccessPoliciesCommand(IAccessPolicyRepository accessPolicyRepository)
{
_accessPolicyRepository = accessPolicyRepository;
}
public async Task<List<BaseAccessPolicy>> CreateAsync(List<BaseAccessPolicy> accessPolicies)
{
var distinctAccessPolicies = accessPolicies.DistinctBy(baseAccessPolicy =>
{
return baseAccessPolicy switch
{
UserProjectAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.OrganizationUserId, ap.GrantedProjectId),
GroupProjectAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.GroupId, ap.GrantedProjectId),
ServiceAccountProjectAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.ServiceAccountId, ap.GrantedProjectId),
_ => throw new ArgumentException("Unsupported access policy type provided.", nameof(baseAccessPolicy))
};
}).ToList();
if (accessPolicies.Count != distinctAccessPolicies.Count)
{
throw new BadRequestException("Resources must be unique");
}
foreach (var accessPolicy in accessPolicies)
{
if (await _accessPolicyRepository.AccessPolicyExists(accessPolicy))
{
throw new BadRequestException("Resource already exists");
}
}
return await _accessPolicyRepository.CreateManyAsync(accessPolicies);
}
}

27
bitwarden_license/src/Commercial.Core/SecretManagerFeatures/AccessPolicies/DeleteAccessPolicyCommand.cs Normal file
View File

@ -0,0 +1,27 @@
using Bit.Core.Exceptions;
using Bit.Core.Repositories;
using Bit.Core.SecretManagerFeatures.AccessPolicies.Interfaces;
namespace Bit.Commercial.Core.SecretManagerFeatures.AccessPolicies;
public class DeleteAccessPolicyCommand : IDeleteAccessPolicyCommand
{
private readonly IAccessPolicyRepository _accessPolicyRepository;
public DeleteAccessPolicyCommand(IAccessPolicyRepository accessPolicyRepository)
{
_accessPolicyRepository = accessPolicyRepository;
}
public async Task DeleteAsync(Guid id)
{
var accessPolicy = await _accessPolicyRepository.GetByIdAsync(id);
if (accessPolicy == null)
{
throw new NotFoundException();
}
await _accessPolicyRepository.DeleteAsync(id);
}
}

32
bitwarden_license/src/Commercial.Core/SecretManagerFeatures/AccessPolicies/UpdateAccessPolicyCommand.cs Normal file
View File

@ -0,0 +1,32 @@
using Bit.Core.Entities;
using Bit.Core.Exceptions;
using Bit.Core.Repositories;
using Bit.Core.SecretManagerFeatures.AccessPolicies.Interfaces;
namespace Bit.Commercial.Core.SecretManagerFeatures.AccessPolicies;
public class UpdateAccessPolicyCommand : IUpdateAccessPolicyCommand
{
private readonly IAccessPolicyRepository _accessPolicyRepository;
public UpdateAccessPolicyCommand(IAccessPolicyRepository accessPolicyRepository)
{
_accessPolicyRepository = accessPolicyRepository;
}
public async Task<BaseAccessPolicy> UpdateAsync(Guid id, bool read, bool write)
{
var accessPolicy = await _accessPolicyRepository.GetByIdAsync(id);
if (accessPolicy == null)
{
throw new NotFoundException();
}
accessPolicy.Read = read;
accessPolicy.Write = write;
accessPolicy.RevisionDate = DateTime.UtcNow;
await _accessPolicyRepository.ReplaceAsync(accessPolicy);
return accessPolicy;
}
}

8
bitwarden_license/src/Commercial.Core/SecretManagerFeatures/SecretManagerCollectionExtensions.cs
View File

@ -1,7 +1,9 @@
using Bit.Commercial.Core.SecretManagerFeatures.AccessTokens; using Bit.Commercial.Core.SecretManagerFeatures.AccessPolicies;
using Bit.Commercial.Core.SecretManagerFeatures.AccessTokens;
using Bit.Commercial.Core.SecretManagerFeatures.Projects; using Bit.Commercial.Core.SecretManagerFeatures.Projects;
using Bit.Commercial.Core.SecretManagerFeatures.Secrets; using Bit.Commercial.Core.SecretManagerFeatures.Secrets;
using Bit.Commercial.Core.SecretManagerFeatures.ServiceAccounts; using Bit.Commercial.Core.SecretManagerFeatures.ServiceAccounts;
using Bit.Core.SecretManagerFeatures.AccessPolicies.Interfaces;
using Bit.Core.SecretManagerFeatures.AccessTokens.Interfaces; using Bit.Core.SecretManagerFeatures.AccessTokens.Interfaces;
using Bit.Core.SecretManagerFeatures.Projects.Interfaces; using Bit.Core.SecretManagerFeatures.Projects.Interfaces;
using Bit.Core.SecretManagerFeatures.Secrets.Interfaces; using Bit.Core.SecretManagerFeatures.Secrets.Interfaces;
@ -23,6 +25,8 @@ public static class SecretManagerCollectionExtensions
services.AddScoped<ICreateServiceAccountCommand, CreateServiceAccountCommand>(); services.AddScoped<ICreateServiceAccountCommand, CreateServiceAccountCommand>();
services.AddScoped<IUpdateServiceAccountCommand, UpdateServiceAccountCommand>(); services.AddScoped<IUpdateServiceAccountCommand, UpdateServiceAccountCommand>();
services.AddScoped<ICreateAccessTokenCommand, CreateAccessTokenCommand>(); services.AddScoped<ICreateAccessTokenCommand, CreateAccessTokenCommand>();
services.AddScoped<ICreateAccessPoliciesCommand, CreateAccessPoliciesCommand>();
services.AddScoped<IUpdateAccessPolicyCommand, UpdateAccessPolicyCommand>();
services.AddScoped<IDeleteAccessPolicyCommand, DeleteAccessPolicyCommand>();
} }
} }

2
bitwarden_license/src/Commercial.Infrastructure.EntityFramework/CommercialEFServiceCollectionExtensions.cs
View File

@ -1,6 +1,5 @@
using Bit.Commercial.Infrastructure.EntityFramework.Repositories; using Bit.Commercial.Infrastructure.EntityFramework.Repositories;
using Bit.Core.Repositories; using Bit.Core.Repositories;
using Bit.Infrastructure.EntityFramework.Repositories;
using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.DependencyInjection;
namespace Bit.Commercial.Infrastructure.EntityFramework; namespace Bit.Commercial.Infrastructure.EntityFramework;
@ -15,4 +14,3 @@ public static class CommercialEFServiceCollectionExtensions
services.AddSingleton<IServiceAccountRepository, ServiceAccountRepository>(); services.AddSingleton<IServiceAccountRepository, ServiceAccountRepository>();
} }
} }

171
bitwarden_license/src/Commercial.Infrastructure.EntityFramework/Repositories/AccessPolicyRepository.cs Normal file
View File

@ -0,0 +1,171 @@
using AutoMapper;
using Bit.Core.Repositories;
using Bit.Infrastructure.EntityFramework.Models;
using Bit.Infrastructure.EntityFramework.Repositories;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.DependencyInjection;
namespace Bit.Commercial.Infrastructure.EntityFramework.Repositories;
public class AccessPolicyRepository : BaseEntityFrameworkRepository, IAccessPolicyRepository
{
public AccessPolicyRepository(IServiceScopeFactory serviceScopeFactory, IMapper mapper) : base(serviceScopeFactory,
mapper)
{
}
public async Task<List<Core.Entities.BaseAccessPolicy>> CreateManyAsync(List<Core.Entities.BaseAccessPolicy> baseAccessPolicies)
{
using (var scope = ServiceScopeFactory.CreateScope())
{
var dbContext = GetDatabaseContext(scope);
foreach (var baseAccessPolicy in baseAccessPolicies)
{
baseAccessPolicy.SetNewId();
switch (baseAccessPolicy)
{
case Core.Entities.UserProjectAccessPolicy accessPolicy:
{
var entity =
Mapper.Map<UserProjectAccessPolicy>(accessPolicy);
await dbContext.AddAsync(entity);
break;
}
case Core.Entities.GroupProjectAccessPolicy accessPolicy:
{
var entity = Mapper.Map<GroupProjectAccessPolicy>(accessPolicy);
await dbContext.AddAsync(entity);
break;
}
case Core.Entities.ServiceAccountProjectAccessPolicy accessPolicy:
{
var entity = Mapper.Map<ServiceAccountProjectAccessPolicy>(accessPolicy);
await dbContext.AddAsync(entity);
break;
}
}
}
await dbContext.SaveChangesAsync();
return baseAccessPolicies;
}
}
public async Task<bool> AccessPolicyExists(Core.Entities.BaseAccessPolicy baseAccessPolicy)
{
using (var scope = ServiceScopeFactory.CreateScope())
{
var dbContext = GetDatabaseContext(scope);
switch (baseAccessPolicy)
{
case Core.Entities.UserProjectAccessPolicy accessPolicy:
{
var policy = await dbContext.UserProjectAccessPolicy
.Where(c => c.OrganizationUserId == accessPolicy.OrganizationUserId &&
c.GrantedProjectId == accessPolicy.GrantedProjectId)
.FirstOrDefaultAsync();
return policy != null;
}
case Core.Entities.GroupProjectAccessPolicy accessPolicy:
{
var policy = await dbContext.GroupProjectAccessPolicy
.Where(c => c.GroupId == accessPolicy.GroupId &&
c.GrantedProjectId == accessPolicy.GrantedProjectId)
.FirstOrDefaultAsync();
return policy != null;
}
case Core.Entities.ServiceAccountProjectAccessPolicy accessPolicy:
{
var policy = await dbContext.ServiceAccountProjectAccessPolicy
.Where(c => c.ServiceAccountId == accessPolicy.ServiceAccountId &&
c.GrantedProjectId == accessPolicy.GrantedProjectId)
.FirstOrDefaultAsync();
return policy != null;
}
default:
throw new ArgumentException("Unsupported access policy type provided.", nameof(baseAccessPolicy));
}
}
}
public async Task<Core.Entities.BaseAccessPolicy?> GetByIdAsync(Guid id)
{
using (var scope = ServiceScopeFactory.CreateScope())
{
var dbContext = GetDatabaseContext(scope);
var entity = await dbContext.AccessPolicies.Where(ap => ap.Id == id)
.Include(ap => ((UserProjectAccessPolicy)ap).OrganizationUser.User)
.Include(ap => ((GroupProjectAccessPolicy)ap).Group)
.Include(ap => ((ServiceAccountProjectAccessPolicy)ap).ServiceAccount)
.FirstOrDefaultAsync();
if (entity == null)
{
return null;
}
return MapToCore(entity);
}
}
public async Task ReplaceAsync(Core.Entities.BaseAccessPolicy baseAccessPolicy)
{
using (var scope = ServiceScopeFactory.CreateScope())
{
var dbContext = GetDatabaseContext(scope);
var entity = await dbContext.AccessPolicies.FindAsync(baseAccessPolicy.Id);
if (entity != null)
{
dbContext.AccessPolicies.Attach(entity);
entity.Write = baseAccessPolicy.Write;
entity.Read = baseAccessPolicy.Read;
entity.RevisionDate = baseAccessPolicy.RevisionDate;
await dbContext.SaveChangesAsync();
}
}
}
public async Task<IEnumerable<Core.Entities.BaseAccessPolicy>?> GetManyByProjectId(Guid id)
{
using (var scope = ServiceScopeFactory.CreateScope())
{
var dbContext = GetDatabaseContext(scope);
var entities = await dbContext.AccessPolicies.Where(ap =>
((UserProjectAccessPolicy)ap).GrantedProjectId == id ||
((GroupProjectAccessPolicy)ap).GrantedProjectId == id ||
((ServiceAccountProjectAccessPolicy)ap).GrantedProjectId == id)
.Include(ap => ((UserProjectAccessPolicy)ap).OrganizationUser.User)
.Include(ap => ((GroupProjectAccessPolicy)ap).Group)
.Include(ap => ((ServiceAccountProjectAccessPolicy)ap).ServiceAccount)
.ToListAsync();
return !entities.Any() ? null : entities.Select(MapToCore);
}
}
public async Task DeleteAsync(Guid id)
{
using (var scope = ServiceScopeFactory.CreateScope())
{
var dbContext = GetDatabaseContext(scope);
var entity = await dbContext.AccessPolicies.FindAsync(id);
if (entity != null)
{
dbContext.Remove(entity);
await dbContext.SaveChangesAsync();
}
}
}
private Core.Entities.BaseAccessPolicy MapToCore(BaseAccessPolicy baseAccessPolicyEntity)
{
return baseAccessPolicyEntity switch
{
UserProjectAccessPolicy ap => Mapper.Map<Core.Entities.UserProjectAccessPolicy>(ap),
GroupProjectAccessPolicy ap => Mapper.Map<Core.Entities.GroupProjectAccessPolicy>(ap),
ServiceAccountProjectAccessPolicy ap => Mapper.Map<Core.Entities.ServiceAccountProjectAccessPolicy>(ap),
_ => throw new ArgumentException("Unsupported access policy type")
};
}
}

126
bitwarden_license/test/Commercial.Core.Test/SecretManagerFeatures/AccessPolicies/CreateAccessPoliciesCommandTests.cs Normal file
View File

@ -0,0 +1,126 @@
using Bit.Commercial.Core.SecretManagerFeatures.AccessPolicies;
using Bit.Core.Entities;
using Bit.Core.Exceptions;
using Bit.Core.Repositories;
using Bit.Test.Common.AutoFixture;
using Bit.Test.Common.AutoFixture.Attributes;
using Bit.Test.Common.Helpers;
using NSubstitute;
using Xunit;
namespace Bit.Commercial.Core.Test.SecretManagerFeatures.AccessPolicies;
[SutProviderCustomize]
public class CreateAccessPoliciesCommandTests
{
[Theory]
[BitAutoData]
public async Task CreateAsync_CallsCreate(List<UserProjectAccessPolicy> userProjectAccessPolicies,
List<GroupProjectAccessPolicy> groupProjectAccessPolicies,
List<ServiceAccountProjectAccessPolicy> serviceAccountProjectAccessPolicies,
SutProvider<CreateAccessPoliciesCommand> sutProvider)
{
var data = new List<BaseAccessPolicy>();
data.AddRange(userProjectAccessPolicies);
data.AddRange(groupProjectAccessPolicies);
data.AddRange(serviceAccountProjectAccessPolicies);
await sutProvider.Sut.CreateAsync(data);
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1)
.CreateManyAsync(Arg.Is(AssertHelper.AssertPropertyEqual(data)));
}
[Theory]
[BitAutoData]
public async Task CreateAsync_AlreadyExists_Throws_BadRequestException(
List<UserProjectAccessPolicy> userProjectAccessPolicies,
List<GroupProjectAccessPolicy> groupProjectAccessPolicies,
List<ServiceAccountProjectAccessPolicy> serviceAccountProjectAccessPolicies,
SutProvider<CreateAccessPoliciesCommand> sutProvider)
{
var data = new List<BaseAccessPolicy>();
data.AddRange(userProjectAccessPolicies);
data.AddRange(groupProjectAccessPolicies);
data.AddRange(serviceAccountProjectAccessPolicies);
sutProvider.GetDependency<IAccessPolicyRepository>().AccessPolicyExists(Arg.Any<BaseAccessPolicy>())
.Returns(true);
var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.CreateAsync(data));
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().CreateManyAsync(default);
}
[Theory]
[BitAutoData(true, false, false)]
[BitAutoData(false, true, false)]
[BitAutoData(true, true, false)]
[BitAutoData(false, false, true)]
[BitAutoData(true, false, true)]
[BitAutoData(false, true, true)]
[BitAutoData(true, true, true)]
public async Task CreateAsync_NotUnique_ThrowsException(
bool testUserPolicies,
bool testGroupPolicies,
bool testServiceAccountPolicies,
List<UserProjectAccessPolicy> userProjectAccessPolicies,
List<GroupProjectAccessPolicy> groupProjectAccessPolicies,
List<ServiceAccountProjectAccessPolicy> serviceAccountProjectAccessPolicies,
SutProvider<CreateAccessPoliciesCommand> sutProvider
)
{
var data = new List<BaseAccessPolicy>();
data.AddRange(userProjectAccessPolicies);
data.AddRange(groupProjectAccessPolicies);
data.AddRange(serviceAccountProjectAccessPolicies);
if (testUserPolicies)
{
var mockUserPolicy = new UserProjectAccessPolicy
{
OrganizationUserId = Guid.NewGuid(),
GrantedProjectId = Guid.NewGuid()
};
data.Add(mockUserPolicy);
// Add a duplicate policy
data.Add(mockUserPolicy);
}
if (testGroupPolicies)
{
var mockGroupPolicy = new GroupProjectAccessPolicy
{
GroupId = Guid.NewGuid(),
GrantedProjectId = Guid.NewGuid()
};
data.Add(mockGroupPolicy);
// Add a duplicate policy
data.Add(mockGroupPolicy);
}
if (testServiceAccountPolicies)
{
var mockServiceAccountPolicy = new ServiceAccountProjectAccessPolicy
{
ServiceAccountId = Guid.NewGuid(),
GrantedProjectId = Guid.NewGuid()
};
data.Add(mockServiceAccountPolicy);
// Add a duplicate policy
data.Add(mockServiceAccountPolicy);
}
sutProvider.GetDependency<IAccessPolicyRepository>().AccessPolicyExists(Arg.Any<BaseAccessPolicy>())
.Returns(true);
var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.CreateAsync(data));
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().CreateManyAsync(default);
}
}

38
bitwarden_license/test/Commercial.Core.Test/SecretManagerFeatures/AccessPolicies/DeleteAccessPolicyCommandTests.cs Normal file
View File

@ -0,0 +1,38 @@
using Bit.Commercial.Core.SecretManagerFeatures.AccessPolicies;
using Bit.Core.Entities;
using Bit.Core.Exceptions;
using Bit.Core.Repositories;
using Bit.Test.Common.AutoFixture;
using Bit.Test.Common.AutoFixture.Attributes;
using NSubstitute;
using NSubstitute.ReturnsExtensions;
using Xunit;
namespace Bit.Commercial.Core.Test.SecretManagerFeatures.AccessPolicies;
[SutProviderCustomize]
public class DeleteAccessPolicyCommandTests
{
[Theory]
[BitAutoData]
public async Task DeleteAccessPolicy_Throws_NotFoundException(Guid data,
SutProvider<DeleteAccessPolicyCommand> sutProvider)
{
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data).ReturnsNull();
var exception = await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.DeleteAsync(data));
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().DeleteAsync(default);
}
[Theory]
[BitAutoData]
public async Task DeleteAccessPolicy_Success(Guid data,
SutProvider<DeleteAccessPolicyCommand> sutProvider)
{
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data)
.Returns(new UserProjectAccessPolicy { Id = data });
await sutProvider.Sut.DeleteAsync(data);
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1).DeleteAsync(Arg.Is(data));
}
}

40
bitwarden_license/test/Commercial.Core.Test/SecretManagerFeatures/AccessPolicies/UpdateAccessPolicyCommandTests.cs Normal file
View File

@ -0,0 +1,40 @@
using Bit.Commercial.Core.SecretManagerFeatures.AccessPolicies;
using Bit.Core.Entities;
using Bit.Core.Exceptions;
using Bit.Core.Repositories;
using Bit.Test.Common.AutoFixture;
using Bit.Test.Common.AutoFixture.Attributes;
using Bit.Test.Common.Helpers;
using NSubstitute;
using Xunit;
namespace Bit.Commercial.Core.Test.SecretManagerFeatures.AccessPolicies;
[SutProviderCustomize]
public class UpdateAccessPolicyCommandTests
{
[Theory]
[BitAutoData]
public async Task UpdateAsync_Throws_NotFoundException(Guid data, bool read, bool write,
SutProvider<UpdateAccessPolicyCommand> sutProvider)
{
var exception =
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.UpdateAsync(data, read, write));
await sutProvider.GetDependency<IAccessPolicyRepository>().DidNotReceiveWithAnyArgs().ReplaceAsync(default);
}
[Theory]
[BitAutoData]
public async Task UpdateAsync_Calls_Replace(Guid data, bool read, bool write,
SutProvider<UpdateAccessPolicyCommand> sutProvider)
{
var existingPolicy = new UserProjectAccessPolicy { Id = data, Read = true, Write = true };
sutProvider.GetDependency<IAccessPolicyRepository>().GetByIdAsync(data).Returns(existingPolicy);
var result = await sutProvider.Sut.UpdateAsync(data, read, write);
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1).ReplaceAsync(existingPolicy);
AssertHelper.AssertRecent(result.RevisionDate);
Assert.Equal(read, result.Read);
Assert.Equal(write, result.Write);
}
}

69
src/Api/Controllers/AccessPoliciesController.cs Normal file
View File

@ -0,0 +1,69 @@
using Bit.Api.SecretManagerFeatures.Models.Request;
using Bit.Api.SecretManagerFeatures.Models.Response;
using Bit.Api.Utilities;
using Bit.Core.Entities;
using Bit.Core.Repositories;
using Bit.Core.SecretManagerFeatures.AccessPolicies.Interfaces;
using Microsoft.AspNetCore.Mvc;
namespace Bit.Api.Controllers;
[SecretsManager]
[Route("access-policies")]
public class AccessPoliciesController : Controller
{
private readonly IAccessPolicyRepository _accessPolicyRepository;
private readonly ICreateAccessPoliciesCommand _createAccessPoliciesCommand;
private readonly IDeleteAccessPolicyCommand _deleteAccessPolicyCommand;
private readonly IUpdateAccessPolicyCommand _updateAccessPolicyCommand;
public AccessPoliciesController(
IAccessPolicyRepository accessPolicyRepository,
ICreateAccessPoliciesCommand createAccessPoliciesCommand,
IDeleteAccessPolicyCommand deleteAccessPolicyCommand,
IUpdateAccessPolicyCommand updateAccessPolicyCommand)
{
_accessPolicyRepository = accessPolicyRepository;
_createAccessPoliciesCommand = createAccessPoliciesCommand;
_deleteAccessPolicyCommand = deleteAccessPolicyCommand;
_updateAccessPolicyCommand = updateAccessPolicyCommand;
}
[HttpPost("/projects/{id}/access-policies")]
public async Task<ProjectAccessPoliciesResponseModel> CreateProjectAccessPoliciesAsync([FromRoute] Guid id,
[FromBody] AccessPoliciesCreateRequest request)
{
var policies = request.ToBaseAccessPoliciesForProject(id);
var results = await _createAccessPoliciesCommand.CreateAsync(policies);
return new ProjectAccessPoliciesResponseModel(results);
}
[HttpGet("/projects/{id}/access-policies")]
public async Task<ProjectAccessPoliciesResponseModel> GetProjectAccessPoliciesAsync([FromRoute] Guid id)
{
var results = await _accessPolicyRepository.GetManyByProjectId(id);
return new ProjectAccessPoliciesResponseModel(results);
}
[HttpPut("{id}")]
public async Task<BaseAccessPolicyResponseModel> UpdateAccessPolicyAsync([FromRoute] Guid id,
[FromBody] AccessPolicyUpdateRequest request)
{
var result = await _updateAccessPolicyCommand.UpdateAsync(id, request.Read, request.Write);
return result switch
{
UserProjectAccessPolicy accessPolicy => new UserProjectAccessPolicyResponseModel(accessPolicy),
GroupProjectAccessPolicy accessPolicy => new GroupProjectAccessPolicyResponseModel(accessPolicy),
ServiceAccountProjectAccessPolicy accessPolicy => new ServiceAccountProjectAccessPolicyResponseModel(
accessPolicy),
_ => throw new ArgumentException("Unsupported access policy type provided.")
};
}
[HttpDelete("{id}")]
public async Task DeleteAccessPolicyAsync([FromRoute] Guid id)
{
await _deleteAccessPolicyCommand.DeleteAsync(id);
}
}

77
src/Api/SecretManagerFeatures/Models/Request/AccessPoliciesCreateRequest.cs Normal file
View File

@ -0,0 +1,77 @@
#nullable enable
using System.ComponentModel.DataAnnotations;
using Bit.Core.Entities;
using Bit.Core.Exceptions;
namespace Bit.Api.SecretManagerFeatures.Models.Request;
public class AccessPoliciesCreateRequest
{
public IEnumerable<AccessPolicyRequest>? UserAccessPolicyRequests { get; set; }
public IEnumerable<AccessPolicyRequest>? GroupAccessPolicyRequests { get; set; }
public IEnumerable<AccessPolicyRequest>? ServiceAccountAccessPolicyRequests { get; set; }
public List<BaseAccessPolicy> ToBaseAccessPoliciesForProject(Guid projectId)
{
if (UserAccessPolicyRequests == null && GroupAccessPolicyRequests == null && ServiceAccountAccessPolicyRequests == null)
{
throw new BadRequestException("No creation requests provided.");
}
var userAccessPolicies = UserAccessPolicyRequests?
.Select(x => x.ToUserProjectAccessPolicy(projectId)).ToList();
var groupAccessPolicies = GroupAccessPolicyRequests?
.Select(x => x.ToGroupProjectAccessPolicy(projectId)).ToList();
var serviceAccountAccessPolicies = ServiceAccountAccessPolicyRequests?
.Select(x => x.ToServiceAccountProjectAccessPolicy(projectId)).ToList();
var policies = new List<BaseAccessPolicy>();
if (userAccessPolicies != null) { policies.AddRange(userAccessPolicies); }
if (groupAccessPolicies != null) { policies.AddRange(groupAccessPolicies); }
if (serviceAccountAccessPolicies != null) { policies.AddRange(serviceAccountAccessPolicies); }
return policies;
}
}
public class AccessPolicyRequest
{
[Required]
public Guid GranteeId { get; set; }
[Required]
public bool Read { get; set; }
[Required]
public bool Write { get; set; }
public UserProjectAccessPolicy ToUserProjectAccessPolicy(Guid projectId) =>
new()
{
OrganizationUserId = GranteeId,
GrantedProjectId = projectId,
Read = Read,
Write = Write
};
public GroupProjectAccessPolicy ToGroupProjectAccessPolicy(Guid projectId) =>
new()
{
GroupId = GranteeId,
GrantedProjectId = projectId,
Read = Read,
Write = Write
};
public ServiceAccountProjectAccessPolicy ToServiceAccountProjectAccessPolicy(Guid projectId) =>
new()
{
ServiceAccountId = GranteeId,
GrantedProjectId = projectId,
Read = Read,
Write = Write
};
}

12
src/Api/SecretManagerFeatures/Models/Request/AccessPolicyUpdateRequest.cs Normal file
View File

@ -0,0 +1,12 @@
using System.ComponentModel.DataAnnotations;
namespace Bit.Api.SecretManagerFeatures.Models.Request;
public class AccessPolicyUpdateRequest
{
[Required]
public bool Read { get; set; }
[Required]
public bool Write { get; set; }
}

128
src/Api/SecretManagerFeatures/Models/Response/AccessPolicyResponseModel.cs Normal file
View File

@ -0,0 +1,128 @@
#nullable enable
using Bit.Core.Entities;
using Bit.Core.Models.Api;
namespace Bit.Api.SecretManagerFeatures.Models.Response;
public abstract class BaseAccessPolicyResponseModel : ResponseModel
{
protected BaseAccessPolicyResponseModel(BaseAccessPolicy baseAccessPolicy, string obj) : base(obj)
{
Id = baseAccessPolicy.Id;
Read = baseAccessPolicy.Read;
Write = baseAccessPolicy.Write;
CreationDate = baseAccessPolicy.CreationDate;
RevisionDate = baseAccessPolicy.RevisionDate;
}
public Guid Id { get; set; }
public bool Read { get; set; }
public bool Write { get; set; }
public DateTime CreationDate { get; set; }
public DateTime RevisionDate { get; set; }
}
public class UserProjectAccessPolicyResponseModel : BaseAccessPolicyResponseModel
{
private const string _objectName = "userProjectAccessPolicy";
public UserProjectAccessPolicyResponseModel(UserProjectAccessPolicy accessPolicy) : base(accessPolicy, _objectName)
{
OrganizationUserId = accessPolicy.OrganizationUserId;
GrantedProjectId = accessPolicy.GrantedProjectId;
OrganizationUserName = accessPolicy.User?.Name;
}
public UserProjectAccessPolicyResponseModel() : base(new UserProjectAccessPolicy(), _objectName)
{
}
public Guid? OrganizationUserId { get; set; }
public string? OrganizationUserName { get; set; }
public Guid? GrantedProjectId { get; set; }
}
public class UserServiceAccountAccessPolicyResponseModel : BaseAccessPolicyResponseModel
{
private const string _objectName = "userServiceAccountAccessPolicy";
public UserServiceAccountAccessPolicyResponseModel(UserServiceAccountAccessPolicy accessPolicy)
: base(accessPolicy, _objectName)
{
OrganizationUserId = accessPolicy.OrganizationUserId;
GrantedServiceAccountId = accessPolicy.GrantedServiceAccountId;
OrganizationUserName = accessPolicy.User?.Name;
}
public UserServiceAccountAccessPolicyResponseModel() : base(new UserServiceAccountAccessPolicy(), _objectName)
{
}
public Guid? OrganizationUserId { get; set; }
public string? OrganizationUserName { get; set; }
public Guid? GrantedServiceAccountId { get; set; }
}
public class GroupProjectAccessPolicyResponseModel : BaseAccessPolicyResponseModel
{
private const string _objectName = "groupProjectAccessPolicy";
public GroupProjectAccessPolicyResponseModel(GroupProjectAccessPolicy accessPolicy)
: base(accessPolicy, _objectName)
{
GroupId = accessPolicy.GroupId;
GrantedProjectId = accessPolicy.GrantedProjectId;
GroupName = accessPolicy.Group?.Name;
}
public GroupProjectAccessPolicyResponseModel() : base(new GroupProjectAccessPolicy(), _objectName)
{
}
public Guid? GroupId { get; set; }
public string? GroupName { get; set; }
public Guid? GrantedProjectId { get; set; }
}
public class GroupServiceAccountAccessPolicyResponseModel : BaseAccessPolicyResponseModel
{
private const string _objectName = "groupServiceAccountAccessPolicy";
public GroupServiceAccountAccessPolicyResponseModel(GroupServiceAccountAccessPolicy accessPolicy)
: base(accessPolicy, _objectName)
{
GroupId = accessPolicy.GroupId;
GroupName = accessPolicy.Group?.Name;
GrantedServiceAccountId = accessPolicy.GrantedServiceAccountId;
}
public GroupServiceAccountAccessPolicyResponseModel() : base(new GroupServiceAccountAccessPolicy(), _objectName)
{
}
public Guid? GroupId { get; set; }
public string? GroupName { get; set; }
public Guid? GrantedServiceAccountId { get; set; }
}
public class ServiceAccountProjectAccessPolicyResponseModel : BaseAccessPolicyResponseModel
{
private const string _objectName = "serviceAccountProjectAccessPolicy";
public ServiceAccountProjectAccessPolicyResponseModel(ServiceAccountProjectAccessPolicy accessPolicy)
: base(accessPolicy, _objectName)
{
ServiceAccountId = accessPolicy.ServiceAccountId;
GrantedProjectId = accessPolicy.GrantedProjectId;
ServiceAccountName = accessPolicy.ServiceAccount?.Name;
}
public ServiceAccountProjectAccessPolicyResponseModel()
: base(new ServiceAccountProjectAccessPolicy(), _objectName)
{
}
public Guid? ServiceAccountId { get; set; }
public string? ServiceAccountName { get; set; }
public Guid? GrantedProjectId { get; set; }
}

43
src/Api/SecretManagerFeatures/Models/Response/ProjectAccessPoliciesResponseModel.cs Normal file
View File

@ -0,0 +1,43 @@
using Bit.Core.Entities;
using Bit.Core.Models.Api;
namespace Bit.Api.SecretManagerFeatures.Models.Response;
public class ProjectAccessPoliciesResponseModel : ResponseModel
{
private const string _objectName = "projectAccessPolicies";
public ProjectAccessPoliciesResponseModel(IEnumerable<BaseAccessPolicy> baseAccessPolicies)
: base(_objectName)
{
if (baseAccessPolicies == null)
{
return;
}
foreach (var baseAccessPolicy in baseAccessPolicies)
switch (baseAccessPolicy)
{
case UserProjectAccessPolicy accessPolicy:
UserAccessPolicies.Add(new UserProjectAccessPolicyResponseModel(accessPolicy));
break;
case GroupProjectAccessPolicy accessPolicy:
GroupAccessPolicies.Add(new GroupProjectAccessPolicyResponseModel(accessPolicy));
break;
case ServiceAccountProjectAccessPolicy accessPolicy:
ServiceAccountAccessPolicies.Add(
new ServiceAccountProjectAccessPolicyResponseModel(accessPolicy));
break;
}
}
public ProjectAccessPoliciesResponseModel() : base(_objectName)
{
}
public List<UserProjectAccessPolicyResponseModel> UserAccessPolicies { get; set; } = new();
public List<GroupProjectAccessPolicyResponseModel> GroupAccessPolicies { get; set; } = new();
public List<ServiceAccountProjectAccessPolicyResponseModel> ServiceAccountAccessPolicies { get; set; } = new();
}

38
src/Core/Entities/AccessPolicy.cs
View File

@ -1,33 +1,8 @@
using Bit.Core.Utilities; #nullable enable
using Bit.Core.Utilities;
namespace Bit.Core.Entities; namespace Bit.Core.Entities;
public class AccessPolicy : ITableObject<Guid>
{
public Guid Id { get; set; }
// Object to grant access from
public Guid? OrganizationUserId { get; set; }
public Guid? GroupId { get; set; }
public Guid? ServiceAccountId { get; set; }
// Object to grant access to
public Guid? GrantedProjectId { get; set; }
public Guid? GrantedServiceAccountId { get; set; }
// Access
public bool Read { get; set; }
public bool Write { get; set; }
public DateTime CreationDate { get; set; }
public DateTime RevisionDate { get; set; }
public void SetNewId()
{
Id = CoreHelpers.GenerateComb();
}
}
public abstract class BaseAccessPolicy public abstract class BaseAccessPolicy
{ {
public Guid Id { get; set; } public Guid Id { get; set; }
@ -36,8 +11,8 @@ public abstract class BaseAccessPolicy
public bool Read { get; set; } public bool Read { get; set; }
public bool Write { get; set; } public bool Write { get; set; }
public DateTime CreationDate { get; set; } public DateTime CreationDate { get; set; } = DateTime.UtcNow;
public DateTime RevisionDate { get; set; } public DateTime RevisionDate { get; set; } = DateTime.UtcNow;
public void SetNewId() public void SetNewId()
{ {
@ -49,28 +24,33 @@ public class UserProjectAccessPolicy : BaseAccessPolicy
{ {
public Guid? OrganizationUserId { get; set; } public Guid? OrganizationUserId { get; set; }
public Guid? GrantedProjectId { get; set; } public Guid? GrantedProjectId { get; set; }
public User? User { get; set; }
} }
public class UserServiceAccountAccessPolicy : BaseAccessPolicy public class UserServiceAccountAccessPolicy : BaseAccessPolicy
{ {
public Guid? OrganizationUserId { get; set; } public Guid? OrganizationUserId { get; set; }
public Guid? GrantedServiceAccountId { get; set; } public Guid? GrantedServiceAccountId { get; set; }
public User? User { get; set; }
} }
public class GroupProjectAccessPolicy : BaseAccessPolicy public class GroupProjectAccessPolicy : BaseAccessPolicy
{ {
public Guid? GroupId { get; set; } public Guid? GroupId { get; set; }
public Guid? GrantedProjectId { get; set; } public Guid? GrantedProjectId { get; set; }
public Group? Group { get; set; }
} }
public class GroupServiceAccountAccessPolicy : BaseAccessPolicy public class GroupServiceAccountAccessPolicy : BaseAccessPolicy
{ {
public Guid? GroupId { get; set; } public Guid? GroupId { get; set; }
public Guid? GrantedServiceAccountId { get; set; } public Guid? GrantedServiceAccountId { get; set; }
public Group? Group { get; set; }
} }
public class ServiceAccountProjectAccessPolicy : BaseAccessPolicy public class ServiceAccountProjectAccessPolicy : BaseAccessPolicy
{ {
public Guid? ServiceAccountId { get; set; } public Guid? ServiceAccountId { get; set; }
public Guid? GrantedProjectId { get; set; } public Guid? GrantedProjectId { get; set; }
public ServiceAccount? ServiceAccount { get; set; }
} }

11
src/Core/Repositories/IAccessPolicyRepository.cs
View File

@ -1,7 +1,14 @@
using Bit.Core.Entities; #nullable enable
using Bit.Core.Entities;
namespace Bit.Core.Repositories; namespace Bit.Core.Repositories;
public interface IAccessPolicyRepository : IRepository<AccessPolicy, Guid> public interface IAccessPolicyRepository
{ {
Task<List<BaseAccessPolicy>> CreateManyAsync(List<BaseAccessPolicy> baseAccessPolicies);
Task<bool> AccessPolicyExists(BaseAccessPolicy baseAccessPolicy);
Task<BaseAccessPolicy?> GetByIdAsync(Guid id);
Task<IEnumerable<BaseAccessPolicy>?> GetManyByProjectId(Guid id);
Task ReplaceAsync(BaseAccessPolicy baseAccessPolicy);
Task DeleteAsync(Guid id);
} }

8
src/Core/SecretManagerFeatures/AccessPolicies/Interfaces/ICreateAccessPoliciesCommand.cs Normal file
View File

@ -0,0 +1,8 @@
using Bit.Core.Entities;
namespace Bit.Core.SecretManagerFeatures.AccessPolicies.Interfaces;
public interface ICreateAccessPoliciesCommand
{
Task<List<BaseAccessPolicy>> CreateAsync(List<BaseAccessPolicy> accessPolicies);
}

6
src/Core/SecretManagerFeatures/AccessPolicies/Interfaces/IDeleteAccessPolicyCommand.cs Normal file
View File

@ -0,0 +1,6 @@
namespace Bit.Core.SecretManagerFeatures.AccessPolicies.Interfaces;
public interface IDeleteAccessPolicyCommand
{
Task DeleteAsync(Guid id);
}

8
src/Core/SecretManagerFeatures/AccessPolicies/Interfaces/IUpdateAccessPolicyCommand.cs Normal file
View File

@ -0,0 +1,8 @@
using Bit.Core.Entities;
namespace Bit.Core.SecretManagerFeatures.AccessPolicies.Interfaces;
public interface IUpdateAccessPolicyCommand
{
public Task<BaseAccessPolicy> UpdateAsync(Guid id, bool read, bool write);
}

5
src/Infrastructure.EntityFramework/Models/AccessPolicy.cs
View File

@ -11,7 +11,10 @@ public class AccessPolicyMapperProfile : Profile
{ {
public AccessPolicyMapperProfile() public AccessPolicyMapperProfile()
{ {
CreateMap<Core.Entities.AccessPolicy, AccessPolicy>().ReverseMap(); CreateMap<Core.Entities.UserProjectAccessPolicy, UserProjectAccessPolicy>().ReverseMap()
.ForMember(dst => dst.User, opt => opt.MapFrom(src => src.OrganizationUser.User));
CreateMap<Core.Entities.GroupProjectAccessPolicy, GroupProjectAccessPolicy>().ReverseMap();
CreateMap<Core.Entities.ServiceAccountProjectAccessPolicy, ServiceAccountProjectAccessPolicy>().ReverseMap();
} }
} }

27
src/Infrastructure.EntityFramework/Repositories/AccessPolicyRepository.cs
View File

@ -1,27 +0,0 @@
using AutoMapper;
using Bit.Core.Repositories;
using Bit.Infrastructure.EntityFramework.Models;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.DependencyInjection;
using CoreAccessPolicy = Bit.Core.Entities.AccessPolicy;
namespace Bit.Infrastructure.EntityFramework.Repositories;
public class AccessPolicyRepository : IAccessPolicyRepository
{
public AccessPolicyRepository(IServiceScopeFactory serviceScopeFactory, IMapper mapper)
{
}
protected Func<DatabaseContext, DbSet<AccessPolicy>> GetDbSet { get; private set; }
public Task<CoreAccessPolicy> GetByIdAsync(Guid id) => throw new NotImplementedException();
public Task<CoreAccessPolicy> CreateAsync(CoreAccessPolicy obj) => throw new NotImplementedException();
public Task ReplaceAsync(CoreAccessPolicy obj) => throw new NotImplementedException();
public Task UpsertAsync(CoreAccessPolicy obj) => throw new NotImplementedException();
public Task DeleteAsync(CoreAccessPolicy obj) => throw new NotImplementedException();
}

3
src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs
View File

@ -17,6 +17,9 @@ public class DatabaseContext : DbContext
{ } { }
public DbSet<AccessPolicy> AccessPolicies { get; set; } public DbSet<AccessPolicy> AccessPolicies { get; set; }
public DbSet<UserProjectAccessPolicy> UserProjectAccessPolicy { get; set; }
public DbSet<GroupProjectAccessPolicy> GroupProjectAccessPolicy { get; set; }
public DbSet<ServiceAccountProjectAccessPolicy> ServiceAccountProjectAccessPolicy { get; set; }
public DbSet<ApiKey> ApiKeys { get; set; } public DbSet<ApiKey> ApiKeys { get; set; }
public DbSet<Cipher> Ciphers { get; set; } public DbSet<Cipher> Ciphers { get; set; }
public DbSet<Collection> Collections { get; set; } public DbSet<Collection> Collections { get; set; }

185
test/Api.IntegrationTest/Controllers/AccessPoliciesControllerTest.cs Normal file
View File

@ -0,0 +1,185 @@
using System.Net.Http.Headers;
using Bit.Api.IntegrationTest.Factories;
using Bit.Api.IntegrationTest.Helpers;
using Bit.Api.SecretManagerFeatures.Models.Request;
using Bit.Api.SecretManagerFeatures.Models.Response;
using Bit.Core.Entities;
using Bit.Core.Repositories;
using Bit.Test.Common.Helpers;
using Xunit;
namespace Bit.Api.IntegrationTest.Controllers;
public class AccessPoliciesControllerTest : IClassFixture<ApiApplicationFactory>, IAsyncLifetime
{
private readonly IAccessPolicyRepository _accessPolicyRepository;
private readonly HttpClient _client;
private readonly ApiApplicationFactory _factory;
private const string _mockEncryptedString = "2.3Uk+WNBIoU5xzmVFNcoWzz==|1MsPIYuRfdOHfu/0uY6H2Q==|/98sp4wb6pHP1VTZ9JcNCYgQjEUMFPlqJgCwRk1YXKg=";
private readonly IProjectRepository _projectRepository;
private readonly IServiceAccountRepository _serviceAccountRepository;
private Organization _organization = null!;
public AccessPoliciesControllerTest(ApiApplicationFactory factory)
{
_factory = factory;
_client = _factory.CreateClient();
_accessPolicyRepository = _factory.GetService<IAccessPolicyRepository>();
_serviceAccountRepository = _factory.GetService<IServiceAccountRepository>();
_projectRepository = _factory.GetService<IProjectRepository>();
}
public async Task InitializeAsync()
{
var ownerEmail = $"integration-test{Guid.NewGuid()}@bitwarden.com";
var tokens = await _factory.LoginWithNewAccount(ownerEmail);
var (organization, _) =
await OrganizationTestHelpers.SignUpAsync(_factory, ownerEmail: ownerEmail, billingEmail: ownerEmail);
_client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokens.Token);
_organization = organization;
}
public Task DisposeAsync() => Task.CompletedTask;
[Fact]
public async Task CreateProjectAccessPolicies()
{
var initialProject = await _projectRepository.CreateAsync(new Project
{
OrganizationId = _organization.Id,
Name = _mockEncryptedString
});
var initialServiceAccount = await _serviceAccountRepository.CreateAsync(new ServiceAccount
{
OrganizationId = _organization.Id,
Name = _mockEncryptedString
});
var request = new AccessPoliciesCreateRequest
{
ServiceAccountAccessPolicyRequests = new List<AccessPolicyRequest>
{
new() { GranteeId = initialServiceAccount.Id, Read = true, Write = true }
}
};
var response = await _client.PostAsJsonAsync($"/projects/{initialProject.Id}/access-policies", request);
response.EnsureSuccessStatusCode();
var result = await response.Content.ReadFromJsonAsync<ProjectAccessPoliciesResponseModel>();
Assert.NotNull(result);
Assert.Equal(initialServiceAccount.Id, result!.ServiceAccountAccessPolicies.First().ServiceAccountId);
Assert.True(result.ServiceAccountAccessPolicies.First().Read);
Assert.True(result.ServiceAccountAccessPolicies.First().Write);
AssertHelper.AssertRecent(result.ServiceAccountAccessPolicies.First().RevisionDate);
AssertHelper.AssertRecent(result.ServiceAccountAccessPolicies.First().CreationDate);
var createdAccessPolicy =
await _accessPolicyRepository.GetByIdAsync(result.ServiceAccountAccessPolicies.First().Id);
Assert.NotNull(createdAccessPolicy);
Assert.Equal(result.ServiceAccountAccessPolicies.First().Read, createdAccessPolicy!.Read);
Assert.Equal(result.ServiceAccountAccessPolicies.First().Write, createdAccessPolicy.Write);
Assert.Equal(result.ServiceAccountAccessPolicies.First().Id, createdAccessPolicy.Id);
AssertHelper.AssertRecent(createdAccessPolicy.CreationDate);
AssertHelper.AssertRecent(createdAccessPolicy.RevisionDate);
}
[Fact]
public async Task UpdateAccessPolicy()
{
var initData = await SetupAccessPolicyRequest();
const bool expectedRead = true;
const bool expectedWrite = false;
var request = new AccessPolicyUpdateRequest { Read = expectedRead, Write = expectedWrite };
var response = await _client.PutAsJsonAsync($"/access-policies/{initData.InitialAccessPolicyId}", request);
response.EnsureSuccessStatusCode();
var result = await response.Content.ReadFromJsonAsync<ServiceAccountProjectAccessPolicyResponseModel>();
Assert.NotNull(result);
Assert.Equal(expectedRead, result!.Read);
Assert.Equal(expectedWrite, result.Write);
AssertHelper.AssertRecent(result.RevisionDate);
var updatedAccessPolicy = await _accessPolicyRepository.GetByIdAsync(result.Id);
Assert.NotNull(updatedAccessPolicy);
Assert.Equal(expectedRead, updatedAccessPolicy!.Read);
Assert.Equal(expectedWrite, updatedAccessPolicy.Write);
AssertHelper.AssertRecent(updatedAccessPolicy.RevisionDate);
}
[Fact]
public async Task DeleteAccessPolicy()
{
var initData = await SetupAccessPolicyRequest();
var response = await _client.DeleteAsync($"/access-policies/{initData.InitialAccessPolicyId}");
response.EnsureSuccessStatusCode();
var test = await _accessPolicyRepository.GetByIdAsync(initData.InitialAccessPolicyId);
Assert.Null(test);
}
[Fact]
public async Task GetProjectAccessPolicies()
{
var initData = await SetupAccessPolicyRequest();
var response = await _client.GetAsync($"/projects/{initData.InitialProjectId}/access-policies");
response.EnsureSuccessStatusCode();
var result = await response.Content.ReadFromJsonAsync<ProjectAccessPoliciesResponseModel>();
Assert.NotNull(result?.ServiceAccountAccessPolicies);
Assert.Single(result!.ServiceAccountAccessPolicies);
}
private async Task<RequestSetupData> SetupAccessPolicyRequest()
{
var initialProject = await _projectRepository.CreateAsync(new Project
{
OrganizationId = _organization.Id,
Name = _mockEncryptedString,
});
var initialServiceAccount = await _serviceAccountRepository.CreateAsync(new ServiceAccount
{
OrganizationId = _organization.Id,
Name = _mockEncryptedString,
});
var initialAccessPolicy = await _accessPolicyRepository.CreateManyAsync(
new List<BaseAccessPolicy>
{
new ServiceAccountProjectAccessPolicy
{
Read = true,
Write = true,
ServiceAccountId = initialServiceAccount.Id,
GrantedProjectId = initialProject.Id,
}
});
return new RequestSetupData
{
InitialProjectId = initialProject.Id,
InitialServiceAccountId = initialServiceAccount.Id,
InitialAccessPolicyId = initialAccessPolicy.First().Id,
};
}
private class RequestSetupData
{
public Guid InitialProjectId { get; set; }
public Guid InitialAccessPolicyId { get; set; }
public Guid InitialServiceAccountId { get; set; }
}
}

87
test/Api.Test/Controllers/AccessPoliciesControllerTests.cs Normal file
View File

@ -0,0 +1,87 @@
using Bit.Api.Controllers;
using Bit.Api.SecretManagerFeatures.Models.Request;
using Bit.Core.Entities;
using Bit.Core.Repositories;
using Bit.Core.SecretManagerFeatures.AccessPolicies.Interfaces;
using Bit.Test.Common.AutoFixture;
using Bit.Test.Common.AutoFixture.Attributes;
using Bit.Test.Common.Helpers;
using NSubstitute;
using NSubstitute.ReturnsExtensions;
using Xunit;
namespace Bit.Api.Test.Controllers;
[ControllerCustomize(typeof(AccessPoliciesController))]
[SutProviderCustomize]
[JsonDocumentCustomize]
public class AccessPoliciesControllerTests
{
[Theory]
[BitAutoData]
public async void GetAccessPoliciesByProject_ReturnsEmptyList(SutProvider<AccessPoliciesController> sutProvider,
Guid id)
{
var result = await sutProvider.Sut.GetProjectAccessPoliciesAsync(id);
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1)
.GetManyByProjectId(Arg.Is(AssertHelper.AssertPropertyEqual(id)));
Assert.Empty(result.GroupAccessPolicies);
Assert.Empty(result.UserAccessPolicies);
Assert.Empty(result.ServiceAccountAccessPolicies);
}
[Theory]
[BitAutoData]
public async void GetAccessPoliciesByProject_Success(SutProvider<AccessPoliciesController> sutProvider, Guid id,
UserProjectAccessPolicy resultAccessPolicy)
{
sutProvider.GetDependency<IAccessPolicyRepository>().GetManyByProjectId(default)
.ReturnsForAnyArgs(new List<BaseAccessPolicy> { resultAccessPolicy });
var result = await sutProvider.Sut.GetProjectAccessPoliciesAsync(id);
await sutProvider.GetDependency<IAccessPolicyRepository>().Received(1)
.GetManyByProjectId(Arg.Is(AssertHelper.AssertPropertyEqual(id)));
Assert.Empty(result.GroupAccessPolicies);
Assert.NotEmpty(result.UserAccessPolicies);
Assert.Empty(result.ServiceAccountAccessPolicies);
}
[Theory]
[BitAutoData]
public async void CreateAccessPolicies_Success(SutProvider<AccessPoliciesController> sutProvider, Guid id,
UserProjectAccessPolicy data, AccessPoliciesCreateRequest request)
{
sutProvider.GetDependency<ICreateAccessPoliciesCommand>().CreateAsync(default)
.ReturnsForAnyArgs(new List<BaseAccessPolicy> { data });
var result = await sutProvider.Sut.CreateProjectAccessPoliciesAsync(id, request);
await sutProvider.GetDependency<ICreateAccessPoliciesCommand>().Received(1)
.CreateAsync(Arg.Any<List<BaseAccessPolicy>>());
}
[Theory]
[BitAutoData]
public async void UpdateAccessPolicies_Success(SutProvider<AccessPoliciesController> sutProvider, Guid id,
UserProjectAccessPolicy data, AccessPolicyUpdateRequest request)
{
sutProvider.GetDependency<IUpdateAccessPolicyCommand>().UpdateAsync(default, default, default)
.ReturnsForAnyArgs(data);
var result = await sutProvider.Sut.UpdateAccessPolicyAsync(id, request);
await sutProvider.GetDependency<IUpdateAccessPolicyCommand>().Received(1)
.UpdateAsync(Arg.Any<Guid>(), Arg.Is(request.Read), Arg.Is(request.Write));
}
[Theory]
[BitAutoData]
public async void DeleteAccessPolicies_Success(SutProvider<AccessPoliciesController> sutProvider, Guid id)
{
sutProvider.GetDependency<IDeleteAccessPolicyCommand>().DeleteAsync(default).ReturnsNull();
await sutProvider.Sut.DeleteAccessPolicyAsync(id);
await sutProvider.GetDependency<IDeleteAccessPolicyCommand>().Received(1)
.DeleteAsync(Arg.Any<Guid>());
}
}