mirror of
https://github.com/bitwarden/server.git
synced 2025-02-01 23:31:41 +01:00
[AC-2847] Simplify OrganizationUser and Group PUT methods and tests (#4479)
* refactor controller logic * add additional validation checks to update commands * refactor and improve tests
This commit is contained in:
Thomas Rittson
GitHub
parent
7fee588812
commit
5df0e2180d
@ -135,7 +135,7 @@ public class GroupsController : Controller
|
||||
.Succeeded;
|
||||
if (!authorized)
|
||||
{
|
||||
throw new NotFoundException("You are not authorized to grant access to these collections.");
|
||||
throw new NotFoundException();
|
||||
}
|
||||
}
|
||||
|
||||
@ -175,13 +175,20 @@ public class GroupsController : Controller
|
||||
/// </summary>
|
||||
private async Task<GroupResponseModel> Put_vNext(Guid orgId, Guid id, [FromBody] GroupRequestModel model)
|
||||
{
|
||||
var (group, currentAccess) = await _groupRepository.GetByIdWithCollectionsAsync(id);
|
||||
if (group == null || !await _currentContext.ManageGroups(group.OrganizationId))
|
||||
if (!await _currentContext.ManageGroups(orgId))
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
// Check whether the user is permitted to add themselves to the group
|
||||
var (group, currentAccess) = await _groupRepository.GetByIdWithCollectionsAsync(id);
|
||||
if (group == null || group.OrganizationId != orgId)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
// Authorization check:
|
||||
// If admins are not allowed access to all collections, you cannot add yourself to a group.
|
||||
// No error is thrown for this, we just don't update groups.
|
||||
var orgAbility = await _applicationCacheService.GetOrganizationAbilityAsync(orgId);
|
||||
if (!orgAbility.AllowAdminAccessToAllCollectionItems)
|
||||
{
|
||||
@ -195,9 +202,23 @@ public class GroupsController : Controller
|
||||
}
|
||||
}
|
||||
|
||||
// Authorization check:
|
||||
// You must have authorization to ModifyUserAccess for all collections being saved
|
||||
var postedCollections = await _collectionRepository
|
||||
.GetManyByManyIdsAsync(model.Collections.Select(c => c.Id));
|
||||
foreach (var collection in postedCollections)
|
||||
{
|
||||
if (!(await _authorizationService.AuthorizeAsync(User, collection,
|
||||
BulkCollectionOperations.ModifyGroupAccess))
|
||||
.Succeeded)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
}
|
||||
|
||||
// The client only sends collections that the saving user has permissions to edit.
|
||||
// On the server side, we need to (1) confirm this and (2) concat these with the collections that the user
|
||||
// can't edit before saving to the database.
|
||||
// We need to combine these with collections that the user doesn't have permissions for, so that we don't
|
||||
// accidentally overwrite those
|
||||
var currentCollections = await _collectionRepository
|
||||
.GetManyByManyIdsAsync(currentAccess.Select(cas => cas.Id));
|
||||
|
||||
@ -211,11 +232,6 @@ public class GroupsController : Controller
|
||||
}
|
||||
}
|
||||
|
||||
if (model.Collections.Any(c => readonlyCollectionIds.Contains(c.Id)))
|
||||
{
|
||||
throw new BadRequestException("You must have Can Manage permissions to edit a collection's membership");
|
||||
}
|
||||
|
||||
var editedCollectionAccess = model.Collections
|
||||
.Select(c => c.ToSelectionReadOnly());
|
||||
var readonlyCollectionAccess = currentAccess
|
||||
|
||||
@ -230,7 +230,7 @@ public class OrganizationUsersController : Controller
|
||||
.Succeeded;
|
||||
if (!authorized)
|
||||
{
|
||||
throw new NotFoundException("You are not authorized to grant access to these collections.");
|
||||
throw new NotFoundException();
|
||||
}
|
||||
}
|
||||
|
||||
@ -400,13 +400,15 @@ public class OrganizationUsersController : Controller
|
||||
var userId = _userService.GetProperUserId(User).Value;
|
||||
var editingSelf = userId == organizationUser.UserId;
|
||||
|
||||
// Authorization check:
|
||||
// If admins are not allowed access to all collections, you cannot add yourself to a group.
|
||||
// In this case we just don't update groups.
|
||||
// No error is thrown for this, we just don't update groups.
|
||||
var organizationAbility = await _applicationCacheService.GetOrganizationAbilityAsync(orgId);
|
||||
var groupsToSave = editingSelf && !organizationAbility.AllowAdminAccessToAllCollectionItems
|
||||
? null
|
||||
: model.Groups;
|
||||
|
||||
// Authorization check:
|
||||
// If admins are not allowed access to all collections, you cannot add yourself to collections.
|
||||
// This is not caught by the requirement below that you can ModifyUserAccess and must be checked separately
|
||||
var currentAccessIds = currentAccess.Select(c => c.Id).ToHashSet();
|
||||
@ -417,9 +419,23 @@ public class OrganizationUsersController : Controller
|
||||
throw new BadRequestException("You cannot add yourself to a collection.");
|
||||
}
|
||||
|
||||
// Authorization check:
|
||||
// You must have authorization to ModifyUserAccess for all collections being saved
|
||||
var postedCollections = await _collectionRepository
|
||||
.GetManyByManyIdsAsync(model.Collections.Select(c => c.Id));
|
||||
foreach (var collection in postedCollections)
|
||||
{
|
||||
if (!(await _authorizationService.AuthorizeAsync(User, collection,
|
||||
BulkCollectionOperations.ModifyUserAccess))
|
||||
.Succeeded)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
}
|
||||
|
||||
// The client only sends collections that the saving user has permissions to edit.
|
||||
// On the server side, we need to (1) make sure the user has permissions for these collections, and
|
||||
// (2) concat these with the collections that the user can't edit before saving to the database.
|
||||
// We need to combine these with collections that the user doesn't have permissions for, so that we don't
|
||||
// accidentally overwrite those
|
||||
var currentCollections = await _collectionRepository
|
||||
.GetManyByManyIdsAsync(currentAccess.Select(cas => cas.Id));
|
||||
|
||||
@ -433,11 +449,6 @@ public class OrganizationUsersController : Controller
|
||||
}
|
||||
}
|
||||
|
||||
if (model.Collections.Any(c => readonlyCollectionIds.Contains(c.Id)))
|
||||
{
|
||||
throw new BadRequestException("You must have Can Manage permissions to edit a collection's membership");
|
||||
}
|
||||
|
||||
var editedCollectionAccess = model.Collections
|
||||
.Select(c => c.ToSelectionReadOnly());
|
||||
var readonlyCollectionAccess = currentAccess
|
||||
|
||||
@ -1,4 +1,6 @@
|
||||
using Bit.Core.AdminConsole.Entities;
|
||||
#nullable enable
|
||||
|
||||
using Bit.Core.AdminConsole.Entities;
|
||||
using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
|
||||
using Bit.Core.AdminConsole.Repositories;
|
||||
using Bit.Core.Enums;
|
||||
@ -14,48 +16,53 @@ public class UpdateGroupCommand : IUpdateGroupCommand
|
||||
private readonly IEventService _eventService;
|
||||
private readonly IGroupRepository _groupRepository;
|
||||
private readonly IOrganizationUserRepository _organizationUserRepository;
|
||||
private readonly ICollectionRepository _collectionRepository;
|
||||
|
||||
public UpdateGroupCommand(
|
||||
IEventService eventService,
|
||||
IGroupRepository groupRepository,
|
||||
IOrganizationUserRepository organizationUserRepository)
|
||||
IOrganizationUserRepository organizationUserRepository,
|
||||
ICollectionRepository collectionRepository)
|
||||
{
|
||||
_eventService = eventService;
|
||||
_groupRepository = groupRepository;
|
||||
_organizationUserRepository = organizationUserRepository;
|
||||
_collectionRepository = collectionRepository;
|
||||
}
|
||||
|
||||
public async Task UpdateGroupAsync(Group group, Organization organization,
|
||||
ICollection<CollectionAccessSelection> collections = null,
|
||||
IEnumerable<Guid> userIds = null)
|
||||
ICollection<CollectionAccessSelection>? collections = null,
|
||||
IEnumerable<Guid>? userIds = null)
|
||||
{
|
||||
Validate(organization, group, collections);
|
||||
await GroupRepositoryUpdateGroupAsync(group, collections);
|
||||
await ValidateAsync(organization, group, collections, userIds);
|
||||
|
||||
await SaveGroupWithCollectionsAsync(group, collections);
|
||||
|
||||
if (userIds != null)
|
||||
{
|
||||
await GroupRepositoryUpdateUsersAsync(group, userIds);
|
||||
await SaveGroupUsersAsync(group, userIds);
|
||||
}
|
||||
|
||||
await _eventService.LogGroupEventAsync(group, Core.Enums.EventType.Group_Updated);
|
||||
}
|
||||
|
||||
public async Task UpdateGroupAsync(Group group, Organization organization, EventSystemUser systemUser,
|
||||
ICollection<CollectionAccessSelection> collections = null,
|
||||
IEnumerable<Guid> userIds = null)
|
||||
ICollection<CollectionAccessSelection>? collections = null,
|
||||
IEnumerable<Guid>? userIds = null)
|
||||
{
|
||||
Validate(organization, group, collections);
|
||||
await GroupRepositoryUpdateGroupAsync(group, collections);
|
||||
await ValidateAsync(organization, group, collections, userIds);
|
||||
|
||||
await SaveGroupWithCollectionsAsync(group, collections);
|
||||
|
||||
if (userIds != null)
|
||||
{
|
||||
await GroupRepositoryUpdateUsersAsync(group, userIds, systemUser);
|
||||
await SaveGroupUsersAsync(group, userIds, systemUser);
|
||||
}
|
||||
|
||||
await _eventService.LogGroupEventAsync(group, Core.Enums.EventType.Group_Updated, systemUser);
|
||||
}
|
||||
|
||||
private async Task GroupRepositoryUpdateGroupAsync(Group group, IEnumerable<CollectionAccessSelection> collections = null)
|
||||
private async Task SaveGroupWithCollectionsAsync(Group group, IEnumerable<CollectionAccessSelection>? collections = null)
|
||||
{
|
||||
group.RevisionDate = DateTime.UtcNow;
|
||||
|
||||
@ -69,7 +76,7 @@ public class UpdateGroupCommand : IUpdateGroupCommand
|
||||
}
|
||||
}
|
||||
|
||||
private async Task GroupRepositoryUpdateUsersAsync(Group group, IEnumerable<Guid> userIds, EventSystemUser? systemUser = null)
|
||||
private async Task SaveGroupUsersAsync(Group group, IEnumerable<Guid> userIds, EventSystemUser? systemUser = null)
|
||||
{
|
||||
var newUserIds = userIds as Guid[] ?? userIds.ToArray();
|
||||
var originalUserIds = await _groupRepository.GetManyUserIdsByIdAsync(group.Id);
|
||||
@ -97,11 +104,15 @@ public class UpdateGroupCommand : IUpdateGroupCommand
|
||||
}
|
||||
}
|
||||
|
||||
private static void Validate(Organization organization, Group group, IEnumerable<CollectionAccessSelection> collections)
|
||||
private async Task ValidateAsync(Organization organization, Group group, ICollection<CollectionAccessSelection>? collectionAccess,
|
||||
IEnumerable<Guid>? memberAccess)
|
||||
{
|
||||
if (organization == null)
|
||||
// Avoid multiple enumeration
|
||||
memberAccess = memberAccess?.ToList();
|
||||
|
||||
if (organization == null || organization.Id != group.OrganizationId)
|
||||
{
|
||||
throw new BadRequestException("Organization not found");
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
if (!organization.UseGroups)
|
||||
@ -109,15 +120,73 @@ public class UpdateGroupCommand : IUpdateGroupCommand
|
||||
throw new BadRequestException("This organization cannot use groups.");
|
||||
}
|
||||
|
||||
var originalGroup = await _groupRepository.GetByIdAsync(group.Id);
|
||||
if (originalGroup == null || originalGroup.OrganizationId != group.OrganizationId)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
if (collectionAccess?.Any() == true)
|
||||
{
|
||||
await ValidateCollectionAccessAsync(originalGroup, collectionAccess);
|
||||
}
|
||||
|
||||
if (memberAccess?.Any() == true)
|
||||
{
|
||||
await ValidateMemberAccessAsync(originalGroup, memberAccess.ToList());
|
||||
}
|
||||
|
||||
if (group.AccessAll)
|
||||
{
|
||||
throw new BadRequestException("The AccessAll property has been deprecated by collection enhancements. Assign the group to collections instead.");
|
||||
}
|
||||
|
||||
var invalidAssociations = collections?.Where(cas => cas.Manage && (cas.ReadOnly || cas.HidePasswords));
|
||||
var invalidAssociations = collectionAccess?.Where(cas => cas.Manage && (cas.ReadOnly || cas.HidePasswords));
|
||||
if (invalidAssociations?.Any() ?? false)
|
||||
{
|
||||
throw new BadRequestException("The Manage property is mutually exclusive and cannot be true while the ReadOnly or HidePasswords properties are also true.");
|
||||
}
|
||||
}
|
||||
|
||||
private async Task ValidateCollectionAccessAsync(Group originalGroup,
|
||||
ICollection<CollectionAccessSelection> collectionAccess)
|
||||
{
|
||||
var collections = await _collectionRepository
|
||||
.GetManyByManyIdsAsync(collectionAccess.Select(c => c.Id));
|
||||
var collectionIds = collections.Select(c => c.Id);
|
||||
|
||||
var missingCollection = collectionAccess
|
||||
.FirstOrDefault(cas => !collectionIds.Contains(cas.Id));
|
||||
if (missingCollection != default)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
var invalidCollection = collections.FirstOrDefault(c => c.OrganizationId != originalGroup.OrganizationId);
|
||||
if (invalidCollection != default)
|
||||
{
|
||||
// Use generic error message to avoid enumeration
|
||||
throw new NotFoundException();
|
||||
}
|
||||
}
|
||||
|
||||
private async Task ValidateMemberAccessAsync(Group originalGroup,
|
||||
ICollection<Guid> memberAccess)
|
||||
{
|
||||
var members = await _organizationUserRepository.GetManyAsync(memberAccess);
|
||||
var memberIds = members.Select(g => g.Id);
|
||||
|
||||
var missingMemberId = memberAccess.FirstOrDefault(mId => !memberIds.Contains(mId));
|
||||
if (missingMemberId != default)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
var invalidMember = members.FirstOrDefault(m => m.OrganizationId != originalGroup.OrganizationId);
|
||||
if (invalidMember != default)
|
||||
{
|
||||
// Use generic error message to avoid enumeration
|
||||
throw new NotFoundException();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -6,5 +6,6 @@ namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interface
|
||||
|
||||
public interface IUpdateOrganizationUserCommand
|
||||
{
|
||||
Task UpdateUserAsync(OrganizationUser user, Guid? savingUserId, List<CollectionAccessSelection> collections, IEnumerable<Guid>? groups);
|
||||
Task UpdateUserAsync(OrganizationUser user, Guid? savingUserId,
|
||||
List<CollectionAccessSelection>? collectionAccess, IEnumerable<Guid>? groupAccess);
|
||||
}
|
||||
|
||||
@ -1,5 +1,6 @@
|
||||
#nullable enable
|
||||
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
|
||||
using Bit.Core.AdminConsole.Repositories;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Exceptions;
|
||||
@ -19,6 +20,8 @@ public class UpdateOrganizationUserCommand : IUpdateOrganizationUserCommand
|
||||
private readonly IOrganizationUserRepository _organizationUserRepository;
|
||||
private readonly ICountNewSmSeatsRequiredQuery _countNewSmSeatsRequiredQuery;
|
||||
private readonly IUpdateSecretsManagerSubscriptionCommand _updateSecretsManagerSubscriptionCommand;
|
||||
private readonly ICollectionRepository _collectionRepository;
|
||||
private readonly IGroupRepository _groupRepository;
|
||||
|
||||
public UpdateOrganizationUserCommand(
|
||||
IEventService eventService,
|
||||
@ -26,7 +29,9 @@ public class UpdateOrganizationUserCommand : IUpdateOrganizationUserCommand
|
||||
IOrganizationRepository organizationRepository,
|
||||
IOrganizationUserRepository organizationUserRepository,
|
||||
ICountNewSmSeatsRequiredQuery countNewSmSeatsRequiredQuery,
|
||||
IUpdateSecretsManagerSubscriptionCommand updateSecretsManagerSubscriptionCommand)
|
||||
IUpdateSecretsManagerSubscriptionCommand updateSecretsManagerSubscriptionCommand,
|
||||
ICollectionRepository collectionRepository,
|
||||
IGroupRepository groupRepository)
|
||||
{
|
||||
_eventService = eventService;
|
||||
_organizationService = organizationService;
|
||||
@ -34,17 +39,45 @@ public class UpdateOrganizationUserCommand : IUpdateOrganizationUserCommand
|
||||
_organizationUserRepository = organizationUserRepository;
|
||||
_countNewSmSeatsRequiredQuery = countNewSmSeatsRequiredQuery;
|
||||
_updateSecretsManagerSubscriptionCommand = updateSecretsManagerSubscriptionCommand;
|
||||
_collectionRepository = collectionRepository;
|
||||
_groupRepository = groupRepository;
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Update an organization user.
|
||||
/// </summary>
|
||||
/// <param name="user">The modified user to save.</param>
|
||||
/// <param name="savingUserId">The userId of the currently logged in user who is making the change.</param>
|
||||
/// <param name="collectionAccess">The user's updated collection access. If set to null, this removes all collection access.</param>
|
||||
/// <param name="groupAccess">The user's updated group access. If set to null, groups are not updated.</param>
|
||||
/// <exception cref="BadRequestException"></exception>
|
||||
public async Task UpdateUserAsync(OrganizationUser user, Guid? savingUserId,
|
||||
List<CollectionAccessSelection>? collections, IEnumerable<Guid>? groups)
|
||||
List<CollectionAccessSelection>? collectionAccess, IEnumerable<Guid>? groupAccess)
|
||||
{
|
||||
// Avoid multiple enumeration
|
||||
collectionAccess = collectionAccess?.ToList();
|
||||
groupAccess = groupAccess?.ToList();
|
||||
|
||||
if (user.Id.Equals(default(Guid)))
|
||||
{
|
||||
throw new BadRequestException("Invite the user first.");
|
||||
}
|
||||
|
||||
var originalUser = await _organizationUserRepository.GetByIdAsync(user.Id);
|
||||
if (originalUser == null || user.OrganizationId != originalUser.OrganizationId)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
if (collectionAccess?.Any() == true)
|
||||
{
|
||||
await ValidateCollectionAccessAsync(originalUser, collectionAccess.ToList());
|
||||
}
|
||||
|
||||
if (groupAccess?.Any() == true)
|
||||
{
|
||||
await ValidateGroupAccessAsync(originalUser, groupAccess.ToList());
|
||||
}
|
||||
|
||||
if (savingUserId.HasValue)
|
||||
{
|
||||
@ -64,9 +97,9 @@ public class UpdateOrganizationUserCommand : IUpdateOrganizationUserCommand
|
||||
throw new BadRequestException("The AccessAll property has been deprecated by collection enhancements. Assign the user to collections instead.");
|
||||
}
|
||||
|
||||
if (collections?.Count > 0)
|
||||
if (collectionAccess?.Count > 0)
|
||||
{
|
||||
var invalidAssociations = collections.Where(cas => cas.Manage && (cas.ReadOnly || cas.HidePasswords));
|
||||
var invalidAssociations = collectionAccess.Where(cas => cas.Manage && (cas.ReadOnly || cas.HidePasswords));
|
||||
if (invalidAssociations.Any())
|
||||
{
|
||||
throw new BadRequestException("The Manage property is mutually exclusive and cannot be true while the ReadOnly or HidePasswords properties are also true.");
|
||||
@ -87,13 +120,55 @@ public class UpdateOrganizationUserCommand : IUpdateOrganizationUserCommand
|
||||
}
|
||||
}
|
||||
|
||||
await _organizationUserRepository.ReplaceAsync(user, collections);
|
||||
await _organizationUserRepository.ReplaceAsync(user, collectionAccess);
|
||||
|
||||
if (groups != null)
|
||||
if (groupAccess != null)
|
||||
{
|
||||
await _organizationUserRepository.UpdateGroupsAsync(user.Id, groups);
|
||||
await _organizationUserRepository.UpdateGroupsAsync(user.Id, groupAccess);
|
||||
}
|
||||
|
||||
await _eventService.LogOrganizationUserEventAsync(user, EventType.OrganizationUser_Updated);
|
||||
}
|
||||
|
||||
private async Task ValidateCollectionAccessAsync(OrganizationUser originalUser,
|
||||
ICollection<CollectionAccessSelection> collectionAccess)
|
||||
{
|
||||
var collections = await _collectionRepository
|
||||
.GetManyByManyIdsAsync(collectionAccess.Select(c => c.Id));
|
||||
var collectionIds = collections.Select(c => c.Id);
|
||||
|
||||
var missingCollection = collectionAccess
|
||||
.FirstOrDefault(cas => !collectionIds.Contains(cas.Id));
|
||||
if (missingCollection != default)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
var invalidCollection = collections.FirstOrDefault(c => c.OrganizationId != originalUser.OrganizationId);
|
||||
if (invalidCollection != default)
|
||||
{
|
||||
// Use generic error message to avoid enumeration
|
||||
throw new NotFoundException();
|
||||
}
|
||||
}
|
||||
|
||||
private async Task ValidateGroupAccessAsync(OrganizationUser originalUser,
|
||||
ICollection<Guid> groupAccess)
|
||||
{
|
||||
var groups = await _groupRepository.GetManyByManyIds(groupAccess);
|
||||
var groupIds = groups.Select(g => g.Id);
|
||||
|
||||
var missingGroupId = groupAccess.FirstOrDefault(gId => !groupIds.Contains(gId));
|
||||
if (missingGroupId != default)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
var invalidGroup = groups.FirstOrDefault(g => g.OrganizationId != originalUser.OrganizationId);
|
||||
if (invalidGroup != default)
|
||||
{
|
||||
// Use generic error message to avoid enumeration
|
||||
throw new NotFoundException();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@ -0,0 +1,321 @@
|
||||
using System.Security.Claims;
|
||||
using Bit.Api.AdminConsole.Controllers;
|
||||
using Bit.Api.AdminConsole.Models.Request;
|
||||
using Bit.Api.Models.Request;
|
||||
using Bit.Api.Vault.AuthorizationHandlers.Collections;
|
||||
using Bit.Core;
|
||||
using Bit.Core.AdminConsole.Entities;
|
||||
using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
|
||||
using Bit.Core.AdminConsole.Repositories;
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.Models.Data;
|
||||
using Bit.Core.Models.Data.Organizations;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.Services;
|
||||
using Bit.Core.Utilities;
|
||||
using Bit.Test.Common.AutoFixture;
|
||||
using Bit.Test.Common.AutoFixture.Attributes;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
using NSubstitute;
|
||||
using Xunit;
|
||||
|
||||
namespace Bit.Api.Test.AdminConsole.Controllers;
|
||||
|
||||
[ControllerCustomize(typeof(GroupsController))]
|
||||
[SutProviderCustomize]
|
||||
public class GroupsControllerPutTests
|
||||
{
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_WithAdminAccess_Success(Organization organization, Group group,
|
||||
GroupRequestModel groupRequestModel, List<CollectionAccessSelection> existingCollectionAccess,
|
||||
OrganizationUser savingUser, SutProvider<GroupsController> sutProvider)
|
||||
{
|
||||
Put_Setup(sutProvider, organization, true, group, savingUser, existingCollectionAccess, []);
|
||||
|
||||
var requestModelCollectionIds = groupRequestModel.Collections.Select(c => c.Id).ToHashSet();
|
||||
|
||||
// Authorize all changes for basic happy path test
|
||||
sutProvider.GetDependency<IAuthorizationService>()
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Any<Collection>(),
|
||||
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyGroupAccess)))
|
||||
.Returns(AuthorizationResult.Success());
|
||||
|
||||
var response = await sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel);
|
||||
|
||||
await sutProvider.GetDependency<ICurrentContext>().Received(1).ManageGroups(organization.Id);
|
||||
await sutProvider.GetDependency<IUpdateGroupCommand>().Received(1).UpdateGroupAsync(
|
||||
Arg.Is<Group>(g =>
|
||||
g.OrganizationId == organization.Id && g.Name == groupRequestModel.Name),
|
||||
Arg.Is<Organization>(o => o.Id == organization.Id),
|
||||
// Should overwrite any existing collections
|
||||
Arg.Is<ICollection<CollectionAccessSelection>>(access =>
|
||||
access.All(c => requestModelCollectionIds.Contains(c.Id))),
|
||||
Arg.Is<IEnumerable<Guid>>(guids => guids.ToHashSet().SetEquals(groupRequestModel.Users.ToHashSet())));
|
||||
Assert.Equal(groupRequestModel.Name, response.Name);
|
||||
Assert.Equal(organization.Id, response.OrganizationId);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_UpdateMembers_NoAdminAccess_CannotAddSelfToGroup(Organization organization, Group group,
|
||||
GroupRequestModel groupRequestModel, OrganizationUser savingUser, List<Guid> currentGroupUsers,
|
||||
SutProvider<GroupsController> sutProvider)
|
||||
{
|
||||
// Not updating collections
|
||||
groupRequestModel.Collections = [];
|
||||
|
||||
Put_Setup(sutProvider, organization, false, group, savingUser,
|
||||
currentCollectionAccess: [], currentGroupUsers);
|
||||
|
||||
// Saving user is trying to add themselves to the group
|
||||
var updatedUsers = groupRequestModel.Users.ToList();
|
||||
updatedUsers.Add(savingUser.Id);
|
||||
groupRequestModel.Users = updatedUsers;
|
||||
|
||||
var exception = await
|
||||
Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel));
|
||||
|
||||
Assert.Contains("You cannot add yourself to groups", exception.Message);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_UpdateMembers_NoAdminAccess_AlreadyInGroup_Success(Organization organization, Group group,
|
||||
GroupRequestModel groupRequestModel, OrganizationUser savingUser, List<Guid> currentGroupUsers,
|
||||
SutProvider<GroupsController> sutProvider)
|
||||
{
|
||||
// Not changing collection access
|
||||
groupRequestModel.Collections = [];
|
||||
|
||||
// Saving user is trying to add themselves to the group
|
||||
var updatedUsers = groupRequestModel.Users.ToList();
|
||||
updatedUsers.Add(savingUser.Id);
|
||||
groupRequestModel.Users = updatedUsers;
|
||||
|
||||
// But! they are already a member of the group
|
||||
currentGroupUsers.Add(savingUser.Id);
|
||||
|
||||
Put_Setup(sutProvider, organization, false, group, savingUser, currentCollectionAccess: [], currentGroupUsers);
|
||||
|
||||
var response = await sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel);
|
||||
|
||||
await sutProvider.GetDependency<ICurrentContext>().Received(1).ManageGroups(organization.Id);
|
||||
await sutProvider.GetDependency<IUpdateGroupCommand>().Received(1).UpdateGroupAsync(
|
||||
Arg.Is<Group>(g =>
|
||||
g.OrganizationId == organization.Id && g.Name == groupRequestModel.Name),
|
||||
Arg.Is<Organization>(o => o.Id == organization.Id),
|
||||
Arg.Any<ICollection<CollectionAccessSelection>>(),
|
||||
Arg.Any<IEnumerable<Guid>>());
|
||||
Assert.Equal(groupRequestModel.Name, response.Name);
|
||||
Assert.Equal(organization.Id, response.OrganizationId);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_UpdateMembers_WithAdminAccess_CanAddSelfToGroup(Organization organization, Group group,
|
||||
GroupRequestModel groupRequestModel, OrganizationUser savingUser, List<Guid> currentGroupUsers,
|
||||
SutProvider<GroupsController> sutProvider)
|
||||
{
|
||||
// Not updating collections
|
||||
groupRequestModel.Collections = [];
|
||||
|
||||
Put_Setup(sutProvider, organization, true, group, savingUser,
|
||||
currentCollectionAccess: [], currentGroupUsers);
|
||||
|
||||
// Saving user is trying to add themselves to the group
|
||||
var updatedUsers = groupRequestModel.Users.ToList();
|
||||
updatedUsers.Add(savingUser.Id);
|
||||
groupRequestModel.Users = updatedUsers;
|
||||
|
||||
var response = await sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel);
|
||||
|
||||
await sutProvider.GetDependency<IUpdateGroupCommand>().Received(1).UpdateGroupAsync(
|
||||
Arg.Is<Group>(g =>
|
||||
g.OrganizationId == organization.Id && g.Name == groupRequestModel.Name),
|
||||
Arg.Is<Organization>(o => o.Id == organization.Id),
|
||||
Arg.Any<ICollection<CollectionAccessSelection>>(),
|
||||
Arg.Is<IEnumerable<Guid>>(guids => guids.ToHashSet().SetEquals(groupRequestModel.Users.ToHashSet())));
|
||||
Assert.Equal(groupRequestModel.Name, response.Name);
|
||||
Assert.Equal(organization.Id, response.OrganizationId);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_UpdateMembers_NoAdminAccess_ProviderUser_Success(Organization organization, Group group,
|
||||
GroupRequestModel groupRequestModel, List<Guid> currentGroupUsers, SutProvider<GroupsController> sutProvider)
|
||||
{
|
||||
// Make collection authorization pass, it's not being tested here
|
||||
groupRequestModel.Collections = Array.Empty<SelectionReadOnlyRequestModel>();
|
||||
|
||||
Put_Setup(sutProvider, organization, false, group, null, currentCollectionAccess: [], currentGroupUsers);
|
||||
|
||||
var response = await sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel);
|
||||
|
||||
await sutProvider.GetDependency<ICurrentContext>().Received(1).ManageGroups(organization.Id);
|
||||
await sutProvider.GetDependency<IUpdateGroupCommand>().Received(1).UpdateGroupAsync(
|
||||
Arg.Is<Group>(g =>
|
||||
g.OrganizationId == organization.Id && g.Name == groupRequestModel.Name),
|
||||
Arg.Is<Organization>(o => o.Id == organization.Id),
|
||||
Arg.Any<ICollection<CollectionAccessSelection>>(),
|
||||
Arg.Any<IEnumerable<Guid>>());
|
||||
Assert.Equal(groupRequestModel.Name, response.Name);
|
||||
Assert.Equal(organization.Id, response.OrganizationId);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_UpdateCollections_DoesNotOverwriteUnauthorizedCollections(GroupRequestModel groupRequestModel,
|
||||
Group group, Organization organization,
|
||||
SutProvider<GroupsController> sutProvider, OrganizationUser savingUser)
|
||||
{
|
||||
var editedCollectionId = CoreHelpers.GenerateComb();
|
||||
var readonlyCollectionId1 = CoreHelpers.GenerateComb();
|
||||
var readonlyCollectionId2 = CoreHelpers.GenerateComb();
|
||||
|
||||
var currentCollectionAccess = new List<CollectionAccessSelection>
|
||||
{
|
||||
new()
|
||||
{
|
||||
Id = editedCollectionId,
|
||||
HidePasswords = true,
|
||||
Manage = false,
|
||||
ReadOnly = true
|
||||
},
|
||||
new()
|
||||
{
|
||||
Id = readonlyCollectionId1,
|
||||
HidePasswords = false,
|
||||
Manage = true,
|
||||
ReadOnly = false
|
||||
},
|
||||
new()
|
||||
{
|
||||
Id = readonlyCollectionId2,
|
||||
HidePasswords = false,
|
||||
Manage = false,
|
||||
ReadOnly = false
|
||||
},
|
||||
};
|
||||
|
||||
Put_Setup(sutProvider, organization, false, group, savingUser, currentCollectionAccess, currentGroupUsers: []);
|
||||
|
||||
// User is upgrading editedCollectionId to manage
|
||||
groupRequestModel.Collections = new List<SelectionReadOnlyRequestModel>
|
||||
{
|
||||
new() { Id = editedCollectionId, HidePasswords = false, Manage = true, ReadOnly = false }
|
||||
};
|
||||
|
||||
// Authorize the editedCollection
|
||||
sutProvider.GetDependency<IAuthorizationService>()
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => c.Id == editedCollectionId),
|
||||
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyGroupAccess)))
|
||||
.Returns(AuthorizationResult.Success());
|
||||
|
||||
// Do not authorize the readonly collections
|
||||
sutProvider.GetDependency<IAuthorizationService>()
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => c.Id == readonlyCollectionId1 || c.Id == readonlyCollectionId2),
|
||||
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyGroupAccess)))
|
||||
.Returns(AuthorizationResult.Failed());
|
||||
|
||||
var response = await sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel);
|
||||
|
||||
// Expect all collection access (modified and unmodified) to be saved
|
||||
await sutProvider.GetDependency<ICurrentContext>().Received(1).ManageGroups(organization.Id);
|
||||
await sutProvider.GetDependency<IUpdateGroupCommand>().Received(1).UpdateGroupAsync(
|
||||
Arg.Is<Group>(g =>
|
||||
g.OrganizationId == organization.Id && g.Name == groupRequestModel.Name),
|
||||
Arg.Is<Organization>(o => o.Id == organization.Id),
|
||||
Arg.Is<List<CollectionAccessSelection>>(cas =>
|
||||
cas.Select(c => c.Id).SequenceEqual(currentCollectionAccess.Select(c => c.Id)) &&
|
||||
cas.First(c => c.Id == editedCollectionId).Manage == true &&
|
||||
cas.First(c => c.Id == editedCollectionId).ReadOnly == false &&
|
||||
cas.First(c => c.Id == editedCollectionId).HidePasswords == false),
|
||||
Arg.Any<IEnumerable<Guid>>());
|
||||
Assert.Equal(groupRequestModel.Name, response.Name);
|
||||
Assert.Equal(organization.Id, response.OrganizationId);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_UpdateCollections_ThrowsIfSavingUserCannotUpdateCollections(GroupRequestModel groupRequestModel,
|
||||
Group group, Organization organization,
|
||||
SutProvider<GroupsController> sutProvider, OrganizationUser savingUser)
|
||||
{
|
||||
// Group is currently assigned to the POSTed collections
|
||||
Put_Setup(sutProvider, organization, false, group, savingUser,
|
||||
groupRequestModel.Collections.Select(cas => cas.ToSelectionReadOnly()).ToList(),
|
||||
[]);
|
||||
|
||||
var postedCollectionIds = groupRequestModel.Collections.Select(c => c.Id).ToHashSet();
|
||||
|
||||
// But the saving user does not have permission to update them
|
||||
sutProvider.GetDependency<IAuthorizationService>()
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => postedCollectionIds.Contains(c.Id)),
|
||||
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyGroupAccess)))
|
||||
.Returns(AuthorizationResult.Failed());
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel));
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_UpdateCollections_ThrowsIfSavingUserCannotAddCollections(GroupRequestModel groupRequestModel,
|
||||
Group group, Organization organization,
|
||||
SutProvider<GroupsController> sutProvider, OrganizationUser savingUser)
|
||||
{
|
||||
// Group is not assigned to the POSTed collections
|
||||
Put_Setup(sutProvider, organization, false, group, savingUser, [], []);
|
||||
|
||||
var postedCollectionIds = groupRequestModel.Collections.Select(c => c.Id).ToHashSet();
|
||||
|
||||
// But the saving user does not have permission to update them
|
||||
sutProvider.GetDependency<IAuthorizationService>()
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => postedCollectionIds.Contains(c.Id)),
|
||||
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyGroupAccess)))
|
||||
.Returns(AuthorizationResult.Failed());
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel));
|
||||
}
|
||||
|
||||
private void Put_Setup(SutProvider<GroupsController> sutProvider, Organization organization,
|
||||
bool adminAccess, Group group, OrganizationUser? savingUser, List<CollectionAccessSelection> currentCollectionAccess,
|
||||
List<Guid> currentGroupUsers)
|
||||
{
|
||||
// FCv1 is now fully enabled
|
||||
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
|
||||
|
||||
var orgId = organization.Id = group.OrganizationId;
|
||||
|
||||
// Arrange org and orgAbility
|
||||
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
|
||||
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(orgId)
|
||||
.Returns(new OrganizationAbility
|
||||
{
|
||||
Id = organization.Id,
|
||||
AllowAdminAccessToAllCollectionItems = adminAccess
|
||||
});
|
||||
|
||||
// Arrange user
|
||||
// If no savingUser provided, they're not an org user, just return a random guid
|
||||
sutProvider.GetDependency<IUserService>().GetProperUserId(Arg.Any<ClaimsPrincipal>()).Returns(savingUser?.UserId ?? CoreHelpers.GenerateComb());
|
||||
sutProvider.GetDependency<ICurrentContext>().ManageGroups(orgId).Returns(true);
|
||||
|
||||
// Arrange repositories
|
||||
sutProvider.GetDependency<IGroupRepository>().GetManyUserIdsByIdAsync(group.Id).Returns(currentGroupUsers ?? []);
|
||||
sutProvider.GetDependency<IGroupRepository>().GetByIdWithCollectionsAsync(group.Id)
|
||||
.Returns(new Tuple<Group, ICollection<CollectionAccessSelection>>(group, currentCollectionAccess ?? []));
|
||||
if (savingUser != null)
|
||||
{
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>().GetByOrganizationAsync(orgId, savingUser.UserId.Value)
|
||||
.Returns(savingUser);
|
||||
}
|
||||
|
||||
// Collection repository: return mock Collection objects for any ids passed in
|
||||
sutProvider.GetDependency<ICollectionRepository>()
|
||||
.GetManyByManyIdsAsync(Arg.Any<IEnumerable<Guid>>())
|
||||
.Returns(callInfo => callInfo.Arg<IEnumerable<Guid>>().Select(guid => new Collection { Id = guid }).ToList());
|
||||
}
|
||||
}
|
||||
@ -1,12 +1,10 @@
|
||||
using System.Security.Claims;
|
||||
using Bit.Api.AdminConsole.Controllers;
|
||||
using Bit.Api.AdminConsole.Models.Request;
|
||||
using Bit.Api.Models.Request;
|
||||
using Bit.Api.Vault.AuthorizationHandlers.Collections;
|
||||
using Bit.Core;
|
||||
using Bit.Core.AdminConsole.Entities;
|
||||
using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
|
||||
using Bit.Core.AdminConsole.Repositories;
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Exceptions;
|
||||
@ -14,7 +12,6 @@ using Bit.Core.Models.Data;
|
||||
using Bit.Core.Models.Data.Organizations;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.Services;
|
||||
using Bit.Core.Utilities;
|
||||
using Bit.Test.Common.AutoFixture;
|
||||
using Bit.Test.Common.AutoFixture.Attributes;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
@ -111,321 +108,9 @@ public class GroupsControllerTests
|
||||
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyGroupAccess)))
|
||||
.Returns(AuthorizationResult.Failed());
|
||||
|
||||
var exception = await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.Post(organization.Id, groupRequestModel));
|
||||
|
||||
Assert.Contains("You are not authorized to grant access to these collections.", exception.Message);
|
||||
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.Post(organization.Id, groupRequestModel));
|
||||
|
||||
await sutProvider.GetDependency<ICreateGroupCommand>().DidNotReceiveWithAnyArgs()
|
||||
.CreateGroupAsync(default, default, default, default);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_AdminsCanAccessAllCollections_Success(Organization organization, Group group,
|
||||
GroupRequestModel groupRequestModel, List<CollectionAccessSelection> existingCollectionAccess,
|
||||
SutProvider<GroupsController> sutProvider)
|
||||
{
|
||||
group.OrganizationId = organization.Id;
|
||||
|
||||
// Enable FC and v1, set Collection Management Setting
|
||||
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns(
|
||||
new OrganizationAbility { Id = organization.Id, AllowAdminAccessToAllCollectionItems = true });
|
||||
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
|
||||
|
||||
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
|
||||
sutProvider.GetDependency<IGroupRepository>().GetByIdWithCollectionsAsync(group.Id)
|
||||
.Returns(new Tuple<Group, ICollection<CollectionAccessSelection>>(group, existingCollectionAccess));
|
||||
sutProvider.GetDependency<ICollectionRepository>()
|
||||
.GetManyByManyIdsAsync(existingCollectionAccess.Select(c => c.Id))
|
||||
.Returns(existingCollectionAccess.Select(c => new Collection { Id = c.Id }).ToList());
|
||||
sutProvider.GetDependency<ICurrentContext>().ManageGroups(organization.Id).Returns(true);
|
||||
|
||||
var requestModelCollectionIds = groupRequestModel.Collections.Select(c => c.Id).ToHashSet();
|
||||
|
||||
var response = await sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel);
|
||||
|
||||
await sutProvider.GetDependency<ICurrentContext>().Received(1).ManageGroups(organization.Id);
|
||||
await sutProvider.GetDependency<IUpdateGroupCommand>().Received(1).UpdateGroupAsync(
|
||||
Arg.Is<Group>(g =>
|
||||
g.OrganizationId == organization.Id && g.Name == groupRequestModel.Name),
|
||||
Arg.Is<Organization>(o => o.Id == organization.Id),
|
||||
// Should overwrite any existing collections
|
||||
Arg.Is<ICollection<CollectionAccessSelection>>(access =>
|
||||
access.All(c => requestModelCollectionIds.Contains(c.Id))),
|
||||
Arg.Any<IEnumerable<Guid>>());
|
||||
Assert.Equal(groupRequestModel.Name, response.Name);
|
||||
Assert.Equal(organization.Id, response.OrganizationId);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_UpdateMembers_AdminsCannotAccessAllCollections_CannotAddSelfToGroup(Organization organization, Group group,
|
||||
GroupRequestModel groupRequestModel, OrganizationUser savingOrganizationUser, List<Guid> currentGroupUsers,
|
||||
SutProvider<GroupsController> sutProvider)
|
||||
{
|
||||
group.OrganizationId = organization.Id;
|
||||
|
||||
// Enable FC and v1
|
||||
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns(
|
||||
new OrganizationAbility
|
||||
{
|
||||
Id = organization.Id,
|
||||
AllowAdminAccessToAllCollectionItems = false,
|
||||
});
|
||||
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
|
||||
|
||||
// Saving user is trying to add themselves to the group
|
||||
var updatedUsers = groupRequestModel.Users.ToList();
|
||||
updatedUsers.Add(savingOrganizationUser.Id);
|
||||
groupRequestModel.Users = updatedUsers;
|
||||
|
||||
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
|
||||
sutProvider.GetDependency<IGroupRepository>().GetByIdWithCollectionsAsync(group.Id)
|
||||
.Returns(new Tuple<Group, ICollection<CollectionAccessSelection>>(group, new List<CollectionAccessSelection>()));
|
||||
sutProvider.GetDependency<ICurrentContext>().ManageGroups(organization.Id).Returns(true);
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||
.GetByOrganizationAsync(organization.Id, Arg.Any<Guid>())
|
||||
.Returns(savingOrganizationUser);
|
||||
sutProvider.GetDependency<IUserService>().GetProperUserId(Arg.Any<ClaimsPrincipal>())
|
||||
.Returns(savingOrganizationUser.UserId);
|
||||
sutProvider.GetDependency<IGroupRepository>().GetManyUserIdsByIdAsync(group.Id)
|
||||
.Returns(currentGroupUsers);
|
||||
|
||||
var exception = await
|
||||
Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel));
|
||||
|
||||
Assert.Contains("You cannot add yourself to groups", exception.Message);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_UpdateMembers_AdminsCannotAccessAllCollections_AlreadyInGroup_Success(Organization organization, Group group,
|
||||
GroupRequestModel groupRequestModel, OrganizationUser savingOrganizationUser, List<Guid> currentGroupUsers,
|
||||
SutProvider<GroupsController> sutProvider)
|
||||
{
|
||||
group.OrganizationId = organization.Id;
|
||||
|
||||
// Enable FC and v1
|
||||
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns(
|
||||
new OrganizationAbility
|
||||
{
|
||||
Id = organization.Id,
|
||||
AllowAdminAccessToAllCollectionItems = false,
|
||||
});
|
||||
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
|
||||
|
||||
// Saving user is trying to add themselves to the group
|
||||
var updatedUsers = groupRequestModel.Users.ToList();
|
||||
updatedUsers.Add(savingOrganizationUser.Id);
|
||||
groupRequestModel.Users = updatedUsers;
|
||||
|
||||
// But! they are already a member of the group
|
||||
currentGroupUsers.Add(savingOrganizationUser.Id);
|
||||
|
||||
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
|
||||
sutProvider.GetDependency<IGroupRepository>().GetByIdWithCollectionsAsync(group.Id)
|
||||
.Returns(new Tuple<Group, ICollection<CollectionAccessSelection>>(group, new List<CollectionAccessSelection>()));
|
||||
sutProvider.GetDependency<ICurrentContext>().ManageGroups(organization.Id).Returns(true);
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||
.GetByOrganizationAsync(organization.Id, Arg.Any<Guid>())
|
||||
.Returns(savingOrganizationUser);
|
||||
sutProvider.GetDependency<IUserService>().GetProperUserId(Arg.Any<ClaimsPrincipal>())
|
||||
.Returns(savingOrganizationUser.UserId);
|
||||
sutProvider.GetDependency<IGroupRepository>().GetManyUserIdsByIdAsync(group.Id)
|
||||
.Returns(currentGroupUsers);
|
||||
|
||||
// Make collection authorization pass, it's not being tested here
|
||||
groupRequestModel.Collections = Array.Empty<SelectionReadOnlyRequestModel>();
|
||||
|
||||
var response = await sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel);
|
||||
|
||||
await sutProvider.GetDependency<ICurrentContext>().Received(1).ManageGroups(organization.Id);
|
||||
await sutProvider.GetDependency<IUpdateGroupCommand>().Received(1).UpdateGroupAsync(
|
||||
Arg.Is<Group>(g =>
|
||||
g.OrganizationId == organization.Id && g.Name == groupRequestModel.Name),
|
||||
Arg.Is<Organization>(o => o.Id == organization.Id),
|
||||
Arg.Any<ICollection<CollectionAccessSelection>>(),
|
||||
Arg.Any<IEnumerable<Guid>>());
|
||||
Assert.Equal(groupRequestModel.Name, response.Name);
|
||||
Assert.Equal(organization.Id, response.OrganizationId);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_UpdateMembers_AdminsCannotAccessAllCollections_ProviderUser_Success(Organization organization, Group group,
|
||||
GroupRequestModel groupRequestModel, List<Guid> currentGroupUsers, Guid savingUserId,
|
||||
SutProvider<GroupsController> sutProvider)
|
||||
{
|
||||
group.OrganizationId = organization.Id;
|
||||
|
||||
// Enable FC and v1
|
||||
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organization.Id).Returns(
|
||||
new OrganizationAbility
|
||||
{
|
||||
Id = organization.Id,
|
||||
AllowAdminAccessToAllCollectionItems = false,
|
||||
});
|
||||
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
|
||||
|
||||
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
|
||||
sutProvider.GetDependency<IGroupRepository>().GetByIdWithCollectionsAsync(group.Id)
|
||||
.Returns(new Tuple<Group, ICollection<CollectionAccessSelection>>(group, new List<CollectionAccessSelection>()));
|
||||
sutProvider.GetDependency<ICurrentContext>().ManageGroups(organization.Id).Returns(true);
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||
.GetByOrganizationAsync(organization.Id, Arg.Any<Guid>())
|
||||
.Returns((OrganizationUser)null); // Provider is not an OrganizationUser, so it will always return null
|
||||
sutProvider.GetDependency<IUserService>().GetProperUserId(Arg.Any<ClaimsPrincipal>())
|
||||
.Returns(savingUserId);
|
||||
sutProvider.GetDependency<IGroupRepository>().GetManyUserIdsByIdAsync(group.Id)
|
||||
.Returns(currentGroupUsers);
|
||||
|
||||
// Make collection authorization pass, it's not being tested here
|
||||
groupRequestModel.Collections = Array.Empty<SelectionReadOnlyRequestModel>();
|
||||
|
||||
var response = await sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel);
|
||||
|
||||
await sutProvider.GetDependency<ICurrentContext>().Received(1).ManageGroups(organization.Id);
|
||||
await sutProvider.GetDependency<IUpdateGroupCommand>().Received(1).UpdateGroupAsync(
|
||||
Arg.Is<Group>(g =>
|
||||
g.OrganizationId == organization.Id && g.Name == groupRequestModel.Name),
|
||||
Arg.Is<Organization>(o => o.Id == organization.Id),
|
||||
Arg.Any<ICollection<CollectionAccessSelection>>(),
|
||||
Arg.Any<IEnumerable<Guid>>());
|
||||
Assert.Equal(groupRequestModel.Name, response.Name);
|
||||
Assert.Equal(organization.Id, response.OrganizationId);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_UpdateCollections_OnlyUpdatesCollectionsTheSavingUserCanUpdate(GroupRequestModel groupRequestModel,
|
||||
Group group, Organization organization,
|
||||
SutProvider<GroupsController> sutProvider, Guid savingUserId)
|
||||
{
|
||||
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
|
||||
Put_Setup(sutProvider, organization, group, savingUserId);
|
||||
|
||||
var editedCollectionId = CoreHelpers.GenerateComb();
|
||||
var readonlyCollectionId1 = CoreHelpers.GenerateComb();
|
||||
var readonlyCollectionId2 = CoreHelpers.GenerateComb();
|
||||
|
||||
var currentCollectionAccess = new List<CollectionAccessSelection>
|
||||
{
|
||||
new()
|
||||
{
|
||||
Id = editedCollectionId,
|
||||
HidePasswords = true,
|
||||
Manage = false,
|
||||
ReadOnly = true
|
||||
},
|
||||
new()
|
||||
{
|
||||
Id = readonlyCollectionId1,
|
||||
HidePasswords = false,
|
||||
Manage = true,
|
||||
ReadOnly = false
|
||||
},
|
||||
new()
|
||||
{
|
||||
Id = readonlyCollectionId2,
|
||||
HidePasswords = false,
|
||||
Manage = false,
|
||||
ReadOnly = false
|
||||
},
|
||||
};
|
||||
|
||||
// User is upgrading editedCollectionId to manage
|
||||
groupRequestModel.Collections = new List<SelectionReadOnlyRequestModel>
|
||||
{
|
||||
new() { Id = editedCollectionId, HidePasswords = false, Manage = true, ReadOnly = false }
|
||||
};
|
||||
|
||||
sutProvider.GetDependency<IGroupRepository>()
|
||||
.GetByIdWithCollectionsAsync(group.Id)
|
||||
.Returns(new Tuple<Group, ICollection<CollectionAccessSelection>>(group,
|
||||
currentCollectionAccess));
|
||||
|
||||
var currentCollections = currentCollectionAccess
|
||||
.Select(cas => new Collection { Id = cas.Id }).ToList();
|
||||
sutProvider.GetDependency<ICollectionRepository>()
|
||||
.GetManyByManyIdsAsync(Arg.Any<IEnumerable<Guid>>())
|
||||
.Returns(currentCollections);
|
||||
|
||||
// Authorize the editedCollection
|
||||
sutProvider.GetDependency<IAuthorizationService>()
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => c.Id == editedCollectionId),
|
||||
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyGroupAccess)))
|
||||
.Returns(AuthorizationResult.Success());
|
||||
|
||||
// Do not authorize the readonly collections
|
||||
sutProvider.GetDependency<IAuthorizationService>()
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => c.Id == readonlyCollectionId1 || c.Id == readonlyCollectionId2),
|
||||
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyGroupAccess)))
|
||||
.Returns(AuthorizationResult.Failed());
|
||||
|
||||
var response = await sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel);
|
||||
|
||||
// Expect all collection access (modified and unmodified) to be saved
|
||||
await sutProvider.GetDependency<ICurrentContext>().Received(1).ManageGroups(organization.Id);
|
||||
await sutProvider.GetDependency<IUpdateGroupCommand>().Received(1).UpdateGroupAsync(
|
||||
Arg.Is<Group>(g =>
|
||||
g.OrganizationId == organization.Id && g.Name == groupRequestModel.Name),
|
||||
Arg.Is<Organization>(o => o.Id == organization.Id),
|
||||
Arg.Is<List<CollectionAccessSelection>>(cas =>
|
||||
cas.Select(c => c.Id).SequenceEqual(currentCollectionAccess.Select(c => c.Id)) &&
|
||||
cas.First(c => c.Id == editedCollectionId).Manage == true &&
|
||||
cas.First(c => c.Id == editedCollectionId).ReadOnly == false &&
|
||||
cas.First(c => c.Id == editedCollectionId).HidePasswords == false),
|
||||
Arg.Any<IEnumerable<Guid>>());
|
||||
Assert.Equal(groupRequestModel.Name, response.Name);
|
||||
Assert.Equal(organization.Id, response.OrganizationId);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_UpdateCollections_ThrowsIfSavingUserCannotUpdateCollections(GroupRequestModel groupRequestModel,
|
||||
Group group, Organization organization,
|
||||
SutProvider<GroupsController> sutProvider, Guid savingUserId)
|
||||
{
|
||||
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
|
||||
Put_Setup(sutProvider, organization, group, savingUserId);
|
||||
|
||||
sutProvider.GetDependency<IGroupRepository>()
|
||||
.GetByIdWithCollectionsAsync(group.Id)
|
||||
.Returns(new Tuple<Group, ICollection<CollectionAccessSelection>>(group,
|
||||
groupRequestModel.Collections.Select(cas => cas.ToSelectionReadOnly()).ToList()));
|
||||
var collections = groupRequestModel.Collections.Select(cas => new Collection { Id = cas.Id }).ToList();
|
||||
sutProvider.GetDependency<ICollectionRepository>()
|
||||
.GetManyByManyIdsAsync(Arg.Is<IEnumerable<Guid>>(guids => guids.SequenceEqual(collections.Select(c => c.Id))))
|
||||
.Returns(collections);
|
||||
|
||||
sutProvider.GetDependency<IAuthorizationService>()
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => collections.Contains(c)),
|
||||
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyGroupAccess)))
|
||||
.Returns(AuthorizationResult.Failed());
|
||||
|
||||
var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.Put(organization.Id, group.Id, groupRequestModel));
|
||||
Assert.Contains("You must have Can Manage permission", exception.Message);
|
||||
}
|
||||
|
||||
private void Put_Setup(SutProvider<GroupsController> sutProvider, Organization organization,
|
||||
Group group, Guid savingUserId)
|
||||
{
|
||||
var orgId = organization.Id = group.OrganizationId;
|
||||
|
||||
sutProvider.GetDependency<ICurrentContext>().ManageGroups(orgId).Returns(true);
|
||||
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(orgId)
|
||||
.Returns(new OrganizationAbility
|
||||
{
|
||||
Id = organization.Id,
|
||||
AllowAdminAccessToAllCollectionItems = false
|
||||
});
|
||||
|
||||
sutProvider.GetDependency<IGroupRepository>().GetManyUserIdsByIdAsync(group.Id).Returns(new List<Guid>());
|
||||
sutProvider.GetDependency<IUserService>().GetProperUserId(Arg.Any<ClaimsPrincipal>()).Returns(savingUserId);
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>().GetByOrganizationAsync(orgId, savingUserId).Returns(new OrganizationUser
|
||||
{
|
||||
Id = savingUserId
|
||||
});
|
||||
sutProvider.GetDependency<IOrganizationRepository>().GetByIdAsync(organization.Id).Returns(organization);
|
||||
}
|
||||
}
|
||||
|
||||
@ -0,0 +1,284 @@
|
||||
using System.Security.Claims;
|
||||
using Bit.Api.AdminConsole.Controllers;
|
||||
using Bit.Api.AdminConsole.Models.Request.Organizations;
|
||||
using Bit.Api.Models.Request;
|
||||
using Bit.Api.Vault.AuthorizationHandlers.Collections;
|
||||
using Bit.Core;
|
||||
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.Models.Data;
|
||||
using Bit.Core.Models.Data.Organizations;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.Services;
|
||||
using Bit.Core.Utilities;
|
||||
using Bit.Test.Common.AutoFixture;
|
||||
using Bit.Test.Common.AutoFixture.Attributes;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
using NSubstitute;
|
||||
using Xunit;
|
||||
|
||||
namespace Bit.Api.Test.AdminConsole.Controllers;
|
||||
|
||||
[ControllerCustomize(typeof(OrganizationUsersController))]
|
||||
[SutProviderCustomize]
|
||||
public class OrganizationUserControllerPutTests
|
||||
{
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_Success(OrganizationUserUpdateRequestModel model,
|
||||
OrganizationUser organizationUser, OrganizationAbility organizationAbility,
|
||||
SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
|
||||
{
|
||||
Put_Setup(sutProvider, organizationAbility, organizationUser, savingUserId, currentCollectionAccess: []);
|
||||
|
||||
// Authorize all changes for basic happy path test
|
||||
sutProvider.GetDependency<IAuthorizationService>()
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Any<Collection>(),
|
||||
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyUserAccess)))
|
||||
.Returns(AuthorizationResult.Success());
|
||||
|
||||
// Save these for later - organizationUser object will be mutated
|
||||
var orgUserId = organizationUser.Id;
|
||||
var orgUserEmail = organizationUser.Email;
|
||||
|
||||
await sutProvider.Sut.Put(organizationAbility.Id, organizationUser.Id, model);
|
||||
|
||||
await sutProvider.GetDependency<IUpdateOrganizationUserCommand>().Received(1).UpdateUserAsync(Arg.Is<OrganizationUser>(ou =>
|
||||
ou.Type == model.Type &&
|
||||
ou.Permissions == CoreHelpers.ClassToJsonData(model.Permissions) &&
|
||||
ou.AccessSecretsManager == model.AccessSecretsManager &&
|
||||
ou.Id == orgUserId &&
|
||||
ou.Email == orgUserEmail),
|
||||
savingUserId,
|
||||
Arg.Is<List<CollectionAccessSelection>>(cas =>
|
||||
cas.All(c => model.Collections.Any(m => m.Id == c.Id))),
|
||||
model.Groups);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_NoAdminAccess_CannotAddSelfToCollections(OrganizationUserUpdateRequestModel model,
|
||||
OrganizationUser organizationUser, OrganizationAbility organizationAbility,
|
||||
SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
|
||||
{
|
||||
// Updating self
|
||||
organizationUser.UserId = savingUserId;
|
||||
organizationAbility.AllowAdminAccessToAllCollectionItems = false;
|
||||
|
||||
Put_Setup(sutProvider, organizationAbility, organizationUser, savingUserId, currentCollectionAccess: []);
|
||||
|
||||
var exception = await Assert.ThrowsAsync<BadRequestException>(async () => await sutProvider.Sut.Put(organizationAbility.Id, organizationUser.Id, model));
|
||||
Assert.Contains("You cannot add yourself to a collection.", exception.Message);
|
||||
}
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_NoAdminAccess_CannotAddSelfToGroups(OrganizationUserUpdateRequestModel model,
|
||||
OrganizationUser organizationUser, OrganizationAbility organizationAbility,
|
||||
SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
|
||||
{
|
||||
// Updating self
|
||||
organizationUser.UserId = savingUserId;
|
||||
organizationAbility.AllowAdminAccessToAllCollectionItems = false;
|
||||
|
||||
Put_Setup(sutProvider, organizationAbility, organizationUser, savingUserId, currentCollectionAccess: []);
|
||||
|
||||
// Not changing any collection access
|
||||
model.Collections = new List<SelectionReadOnlyRequestModel>();
|
||||
|
||||
var orgUserId = organizationUser.Id;
|
||||
var orgUserEmail = organizationUser.Email;
|
||||
|
||||
await sutProvider.Sut.Put(organizationAbility.Id, organizationUser.Id, model);
|
||||
|
||||
await sutProvider.GetDependency<IUpdateOrganizationUserCommand>().Received(1).UpdateUserAsync(Arg.Is<OrganizationUser>(ou =>
|
||||
ou.Type == model.Type &&
|
||||
ou.Permissions == CoreHelpers.ClassToJsonData(model.Permissions) &&
|
||||
ou.AccessSecretsManager == model.AccessSecretsManager &&
|
||||
ou.Id == orgUserId &&
|
||||
ou.Email == orgUserEmail),
|
||||
savingUserId,
|
||||
Arg.Is<List<CollectionAccessSelection>>(cas =>
|
||||
cas.All(c => model.Collections.Any(m => m.Id == c.Id))),
|
||||
// Main assertion: groups are not updated (are null)
|
||||
null);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_WithAdminAccess_CanAddSelfToGroups(OrganizationUserUpdateRequestModel model,
|
||||
OrganizationUser organizationUser, OrganizationAbility organizationAbility,
|
||||
SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
|
||||
{
|
||||
// Updating self
|
||||
organizationUser.UserId = savingUserId;
|
||||
organizationAbility.AllowAdminAccessToAllCollectionItems = true;
|
||||
|
||||
Put_Setup(sutProvider, organizationAbility, organizationUser, savingUserId, currentCollectionAccess: []);
|
||||
|
||||
// Not changing any collection access
|
||||
model.Collections = new List<SelectionReadOnlyRequestModel>();
|
||||
|
||||
var orgUserId = organizationUser.Id;
|
||||
var orgUserEmail = organizationUser.Email;
|
||||
|
||||
await sutProvider.Sut.Put(organizationAbility.Id, organizationUser.Id, model);
|
||||
|
||||
await sutProvider.GetDependency<IUpdateOrganizationUserCommand>().Received(1).UpdateUserAsync(Arg.Is<OrganizationUser>(ou =>
|
||||
ou.Type == model.Type &&
|
||||
ou.Permissions == CoreHelpers.ClassToJsonData(model.Permissions) &&
|
||||
ou.AccessSecretsManager == model.AccessSecretsManager &&
|
||||
ou.Id == orgUserId &&
|
||||
ou.Email == orgUserEmail),
|
||||
savingUserId,
|
||||
Arg.Is<List<CollectionAccessSelection>>(cas =>
|
||||
cas.All(c => model.Collections.Any(m => m.Id == c.Id))),
|
||||
model.Groups);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_UpdateCollections_DoesNotOverwriteUnauthorizedCollections(OrganizationUserUpdateRequestModel model,
|
||||
OrganizationUser organizationUser, OrganizationAbility organizationAbility,
|
||||
SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
|
||||
{
|
||||
var editedCollectionId = CoreHelpers.GenerateComb();
|
||||
var readonlyCollectionId1 = CoreHelpers.GenerateComb();
|
||||
var readonlyCollectionId2 = CoreHelpers.GenerateComb();
|
||||
|
||||
var currentCollectionAccess = new List<CollectionAccessSelection>
|
||||
{
|
||||
new()
|
||||
{
|
||||
Id = editedCollectionId,
|
||||
HidePasswords = true,
|
||||
Manage = false,
|
||||
ReadOnly = true
|
||||
},
|
||||
new()
|
||||
{
|
||||
Id = readonlyCollectionId1,
|
||||
HidePasswords = false,
|
||||
Manage = true,
|
||||
ReadOnly = false
|
||||
},
|
||||
new()
|
||||
{
|
||||
Id = readonlyCollectionId2,
|
||||
HidePasswords = false,
|
||||
Manage = false,
|
||||
ReadOnly = false
|
||||
},
|
||||
};
|
||||
|
||||
Put_Setup(sutProvider, organizationAbility, organizationUser, savingUserId, currentCollectionAccess);
|
||||
|
||||
// User is upgrading editedCollectionId to manage
|
||||
model.Collections = new List<SelectionReadOnlyRequestModel>
|
||||
{
|
||||
new() { Id = editedCollectionId, HidePasswords = false, Manage = true, ReadOnly = false }
|
||||
};
|
||||
|
||||
// Save these for later - organizationUser object will be mutated
|
||||
var orgUserId = organizationUser.Id;
|
||||
var orgUserEmail = organizationUser.Email;
|
||||
|
||||
// Authorize the editedCollection
|
||||
sutProvider.GetDependency<IAuthorizationService>()
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => c.Id == editedCollectionId),
|
||||
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyUserAccess)))
|
||||
.Returns(AuthorizationResult.Success());
|
||||
|
||||
// Do not authorize the readonly collections
|
||||
sutProvider.GetDependency<IAuthorizationService>()
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => c.Id == readonlyCollectionId1 || c.Id == readonlyCollectionId2),
|
||||
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyUserAccess)))
|
||||
.Returns(AuthorizationResult.Failed());
|
||||
|
||||
await sutProvider.Sut.Put(organizationAbility.Id, organizationUser.Id, model);
|
||||
|
||||
// Expect all collection access (modified and unmodified) to be saved
|
||||
await sutProvider.GetDependency<IUpdateOrganizationUserCommand>().Received(1).UpdateUserAsync(Arg.Is<OrganizationUser>(ou =>
|
||||
ou.Type == model.Type &&
|
||||
ou.Permissions == CoreHelpers.ClassToJsonData(model.Permissions) &&
|
||||
ou.AccessSecretsManager == model.AccessSecretsManager &&
|
||||
ou.Id == orgUserId &&
|
||||
ou.Email == orgUserEmail),
|
||||
savingUserId,
|
||||
Arg.Is<List<CollectionAccessSelection>>(cas =>
|
||||
cas.Select(c => c.Id).SequenceEqual(currentCollectionAccess.Select(c => c.Id)) &&
|
||||
cas.First(c => c.Id == editedCollectionId).Manage == true &&
|
||||
cas.First(c => c.Id == editedCollectionId).ReadOnly == false &&
|
||||
cas.First(c => c.Id == editedCollectionId).HidePasswords == false),
|
||||
model.Groups);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_UpdateCollections_ThrowsIfSavingUserCannotUpdateCollections(OrganizationUserUpdateRequestModel model,
|
||||
OrganizationUser organizationUser, OrganizationAbility organizationAbility,
|
||||
SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
|
||||
{
|
||||
// Target user is currently assigned to the POSTed collections
|
||||
Put_Setup(sutProvider, organizationAbility, organizationUser, savingUserId,
|
||||
currentCollectionAccess: model.Collections.Select(cas => cas.ToSelectionReadOnly()).ToList());
|
||||
|
||||
var postedCollectionIds = model.Collections.Select(c => c.Id).ToHashSet();
|
||||
|
||||
// But the saving user does not have permission to update them
|
||||
sutProvider.GetDependency<IAuthorizationService>()
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => postedCollectionIds.Contains(c.Id)),
|
||||
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyUserAccess)))
|
||||
.Returns(AuthorizationResult.Failed());
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.Put(organizationAbility.Id, organizationUser.Id, model));
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_UpdateCollections_ThrowsIfSavingUserCannotAddCollections(OrganizationUserUpdateRequestModel model,
|
||||
OrganizationUser organizationUser, OrganizationAbility organizationAbility,
|
||||
SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
|
||||
{
|
||||
// The target user is not currently assigned to any collections, so we're granting access for the first time
|
||||
Put_Setup(sutProvider, organizationAbility, organizationUser, savingUserId, currentCollectionAccess: []);
|
||||
|
||||
var postedCollectionIds = model.Collections.Select(c => c.Id).ToHashSet();
|
||||
// But the saving user does not have permission to assign access to the collections
|
||||
sutProvider.GetDependency<IAuthorizationService>()
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => postedCollectionIds.Contains(c.Id)),
|
||||
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyUserAccess)))
|
||||
.Returns(AuthorizationResult.Failed());
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.Put(organizationAbility.Id, organizationUser.Id, model));
|
||||
}
|
||||
|
||||
private void Put_Setup(SutProvider<OrganizationUsersController> sutProvider,
|
||||
OrganizationAbility organizationAbility, OrganizationUser organizationUser, Guid savingUserId,
|
||||
List<CollectionAccessSelection> currentCollectionAccess)
|
||||
{
|
||||
// FCv1 is now fully enabled
|
||||
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
|
||||
|
||||
var orgId = organizationAbility.Id = organizationUser.OrganizationId;
|
||||
|
||||
sutProvider.GetDependency<ICurrentContext>().ManageUsers(orgId).Returns(true);
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>().GetByIdAsync(organizationUser.Id)
|
||||
.Returns(organizationUser);
|
||||
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(orgId)
|
||||
.Returns(organizationAbility);
|
||||
sutProvider.GetDependency<IUserService>().GetProperUserId(Arg.Any<ClaimsPrincipal>()).Returns(savingUserId);
|
||||
|
||||
// OrganizationUserRepository: return the user with current collection access
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||
.GetByIdWithCollectionsAsync(organizationUser.Id)
|
||||
.Returns(new Tuple<OrganizationUser, ICollection<CollectionAccessSelection>>(organizationUser,
|
||||
currentCollectionAccess ?? []));
|
||||
|
||||
// Collection repository: return mock Collection objects for any ids passed in
|
||||
sutProvider.GetDependency<ICollectionRepository>()
|
||||
.GetManyByManyIdsAsync(Arg.Any<IEnumerable<Guid>>())
|
||||
.Returns(callInfo => callInfo.Arg<IEnumerable<Guid>>().Select(guid => new Collection { Id = guid }).ToList());
|
||||
}
|
||||
}
|
||||
@ -1,13 +1,11 @@
|
||||
using System.Security.Claims;
|
||||
using Bit.Api.AdminConsole.Controllers;
|
||||
using Bit.Api.AdminConsole.Models.Request.Organizations;
|
||||
using Bit.Api.Models.Request;
|
||||
using Bit.Api.Vault.AuthorizationHandlers.Collections;
|
||||
using Bit.Core;
|
||||
using Bit.Core.AdminConsole.Entities;
|
||||
using Bit.Core.AdminConsole.Enums;
|
||||
using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
|
||||
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
|
||||
using Bit.Core.AdminConsole.Repositories;
|
||||
using Bit.Core.Auth.Entities;
|
||||
using Bit.Core.Auth.Repositories;
|
||||
@ -183,241 +181,7 @@ public class OrganizationUsersControllerTests
|
||||
.Returns(AuthorizationResult.Failed());
|
||||
sutProvider.GetDependency<IUserService>().GetProperUserId(Arg.Any<ClaimsPrincipal>()).Returns(userId);
|
||||
|
||||
var exception = await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.Invite(organizationAbility.Id, model));
|
||||
Assert.Contains("You are not authorized", exception.Message);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_Success(OrganizationUserUpdateRequestModel model,
|
||||
OrganizationUser organizationUser, OrganizationAbility organizationAbility,
|
||||
SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
|
||||
{
|
||||
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(false);
|
||||
|
||||
Put_Setup(sutProvider, organizationAbility, organizationUser, savingUserId, model, true);
|
||||
|
||||
// Save these for later - organizationUser object will be mutated
|
||||
var orgUserId = organizationUser.Id;
|
||||
var orgUserEmail = organizationUser.Email;
|
||||
|
||||
await sutProvider.Sut.Put(organizationAbility.Id, organizationUser.Id, model);
|
||||
|
||||
await sutProvider.GetDependency<IUpdateOrganizationUserCommand>().Received(1).UpdateUserAsync(Arg.Is<OrganizationUser>(ou =>
|
||||
ou.Type == model.Type &&
|
||||
ou.Permissions == CoreHelpers.ClassToJsonData(model.Permissions) &&
|
||||
ou.AccessSecretsManager == model.AccessSecretsManager &&
|
||||
ou.Id == orgUserId &&
|
||||
ou.Email == orgUserEmail),
|
||||
savingUserId,
|
||||
Arg.Is<List<CollectionAccessSelection>>(cas =>
|
||||
cas.All(c => model.Collections.Any(m => m.Id == c.Id))),
|
||||
model.Groups);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_UpdateSelf_WithoutAllowAdminAccessToAllCollectionItems_CannotAddSelfToCollections(OrganizationUserUpdateRequestModel model,
|
||||
OrganizationUser organizationUser, OrganizationAbility organizationAbility,
|
||||
SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
|
||||
{
|
||||
// Updating self
|
||||
organizationUser.UserId = savingUserId;
|
||||
organizationAbility.AllowAdminAccessToAllCollectionItems = false;
|
||||
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
|
||||
|
||||
Put_Setup(sutProvider, organizationAbility, organizationUser, savingUserId, model, false);
|
||||
|
||||
// User is not currently assigned to any collections, which means they're adding themselves
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||
.GetByIdWithCollectionsAsync(organizationUser.Id)
|
||||
.Returns(new Tuple<OrganizationUser, ICollection<CollectionAccessSelection>>(organizationUser,
|
||||
new List<CollectionAccessSelection>()));
|
||||
sutProvider.GetDependency<ICollectionRepository>()
|
||||
.GetManyByManyIdsAsync(Arg.Any<IEnumerable<Guid>>())
|
||||
.Returns(new List<Collection>());
|
||||
|
||||
var orgUserId = organizationUser.Id;
|
||||
var orgUserEmail = organizationUser.Email;
|
||||
|
||||
var exception = await Assert.ThrowsAsync<BadRequestException>(async () => await sutProvider.Sut.Put(organizationAbility.Id, organizationUser.Id, model));
|
||||
Assert.Contains("You cannot add yourself to a collection.", exception.Message);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_UpdateSelf_WithoutAllowAdminAccessToAllCollectionItems_DoesNotUpdateGroups(OrganizationUserUpdateRequestModel model,
|
||||
OrganizationUser organizationUser, OrganizationAbility organizationAbility,
|
||||
SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
|
||||
{
|
||||
// Updating self
|
||||
organizationUser.UserId = savingUserId;
|
||||
organizationAbility.AllowAdminAccessToAllCollectionItems = false;
|
||||
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
|
||||
|
||||
Put_Setup(sutProvider, organizationAbility, organizationUser, savingUserId, model, true);
|
||||
|
||||
var orgUserId = organizationUser.Id;
|
||||
var orgUserEmail = organizationUser.Email;
|
||||
|
||||
await sutProvider.Sut.Put(organizationAbility.Id, organizationUser.Id, model);
|
||||
|
||||
await sutProvider.GetDependency<IUpdateOrganizationUserCommand>().Received(1).UpdateUserAsync(Arg.Is<OrganizationUser>(ou =>
|
||||
ou.Type == model.Type &&
|
||||
ou.Permissions == CoreHelpers.ClassToJsonData(model.Permissions) &&
|
||||
ou.AccessSecretsManager == model.AccessSecretsManager &&
|
||||
ou.Id == orgUserId &&
|
||||
ou.Email == orgUserEmail),
|
||||
savingUserId,
|
||||
Arg.Is<List<CollectionAccessSelection>>(cas =>
|
||||
cas.All(c => model.Collections.Any(m => m.Id == c.Id))),
|
||||
null);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_UpdateSelf_WithAllowAdminAccessToAllCollectionItems_DoesUpdateGroups(OrganizationUserUpdateRequestModel model,
|
||||
OrganizationUser organizationUser, OrganizationAbility organizationAbility,
|
||||
SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
|
||||
{
|
||||
// Updating self
|
||||
organizationUser.UserId = savingUserId;
|
||||
organizationAbility.AllowAdminAccessToAllCollectionItems = true;
|
||||
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
|
||||
|
||||
Put_Setup(sutProvider, organizationAbility, organizationUser, savingUserId, model, true);
|
||||
|
||||
var orgUserId = organizationUser.Id;
|
||||
var orgUserEmail = organizationUser.Email;
|
||||
|
||||
await sutProvider.Sut.Put(organizationAbility.Id, organizationUser.Id, model);
|
||||
|
||||
await sutProvider.GetDependency<IUpdateOrganizationUserCommand>().Received(1).UpdateUserAsync(Arg.Is<OrganizationUser>(ou =>
|
||||
ou.Type == model.Type &&
|
||||
ou.Permissions == CoreHelpers.ClassToJsonData(model.Permissions) &&
|
||||
ou.AccessSecretsManager == model.AccessSecretsManager &&
|
||||
ou.Id == orgUserId &&
|
||||
ou.Email == orgUserEmail),
|
||||
savingUserId,
|
||||
Arg.Is<List<CollectionAccessSelection>>(cas =>
|
||||
cas.All(c => model.Collections.Any(m => m.Id == c.Id))),
|
||||
model.Groups);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_UpdateCollections_OnlyUpdatesCollectionsTheSavingUserCanUpdate(OrganizationUserUpdateRequestModel model,
|
||||
OrganizationUser organizationUser, OrganizationAbility organizationAbility,
|
||||
SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
|
||||
{
|
||||
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
|
||||
Put_Setup(sutProvider, organizationAbility, organizationUser, savingUserId, model, false);
|
||||
|
||||
var editedCollectionId = CoreHelpers.GenerateComb();
|
||||
var readonlyCollectionId1 = CoreHelpers.GenerateComb();
|
||||
var readonlyCollectionId2 = CoreHelpers.GenerateComb();
|
||||
|
||||
var currentCollectionAccess = new List<CollectionAccessSelection>
|
||||
{
|
||||
new()
|
||||
{
|
||||
Id = editedCollectionId,
|
||||
HidePasswords = true,
|
||||
Manage = false,
|
||||
ReadOnly = true
|
||||
},
|
||||
new()
|
||||
{
|
||||
Id = readonlyCollectionId1,
|
||||
HidePasswords = false,
|
||||
Manage = true,
|
||||
ReadOnly = false
|
||||
},
|
||||
new()
|
||||
{
|
||||
Id = readonlyCollectionId2,
|
||||
HidePasswords = false,
|
||||
Manage = false,
|
||||
ReadOnly = false
|
||||
},
|
||||
};
|
||||
|
||||
// User is upgrading editedCollectionId to manage
|
||||
model.Collections = new List<SelectionReadOnlyRequestModel>
|
||||
{
|
||||
new() { Id = editedCollectionId, HidePasswords = false, Manage = true, ReadOnly = false }
|
||||
};
|
||||
|
||||
// Save these for later - organizationUser object will be mutated
|
||||
var orgUserId = organizationUser.Id;
|
||||
var orgUserEmail = organizationUser.Email;
|
||||
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||
.GetByIdWithCollectionsAsync(organizationUser.Id)
|
||||
.Returns(new Tuple<OrganizationUser, ICollection<CollectionAccessSelection>>(organizationUser,
|
||||
currentCollectionAccess));
|
||||
|
||||
var currentCollections = currentCollectionAccess
|
||||
.Select(cas => new Collection { Id = cas.Id }).ToList();
|
||||
sutProvider.GetDependency<ICollectionRepository>()
|
||||
.GetManyByManyIdsAsync(Arg.Any<IEnumerable<Guid>>())
|
||||
.Returns(currentCollections);
|
||||
|
||||
// Authorize the editedCollection
|
||||
sutProvider.GetDependency<IAuthorizationService>()
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => c.Id == editedCollectionId),
|
||||
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyUserAccess)))
|
||||
.Returns(AuthorizationResult.Success());
|
||||
|
||||
// Do not authorize the readonly collections
|
||||
sutProvider.GetDependency<IAuthorizationService>()
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => c.Id == readonlyCollectionId1 || c.Id == readonlyCollectionId2),
|
||||
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyUserAccess)))
|
||||
.Returns(AuthorizationResult.Failed());
|
||||
|
||||
await sutProvider.Sut.Put(organizationAbility.Id, organizationUser.Id, model);
|
||||
|
||||
// Expect all collection access (modified and unmodified) to be saved
|
||||
await sutProvider.GetDependency<IUpdateOrganizationUserCommand>().Received(1).UpdateUserAsync(Arg.Is<OrganizationUser>(ou =>
|
||||
ou.Type == model.Type &&
|
||||
ou.Permissions == CoreHelpers.ClassToJsonData(model.Permissions) &&
|
||||
ou.AccessSecretsManager == model.AccessSecretsManager &&
|
||||
ou.Id == orgUserId &&
|
||||
ou.Email == orgUserEmail),
|
||||
savingUserId,
|
||||
Arg.Is<List<CollectionAccessSelection>>(cas =>
|
||||
cas.Select(c => c.Id).SequenceEqual(currentCollectionAccess.Select(c => c.Id)) &&
|
||||
cas.First(c => c.Id == editedCollectionId).Manage == true &&
|
||||
cas.First(c => c.Id == editedCollectionId).ReadOnly == false &&
|
||||
cas.First(c => c.Id == editedCollectionId).HidePasswords == false),
|
||||
model.Groups);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitAutoData]
|
||||
public async Task Put_UpdateCollections_ThrowsIfSavingUserCannotUpdateCollections(OrganizationUserUpdateRequestModel model,
|
||||
OrganizationUser organizationUser, OrganizationAbility organizationAbility,
|
||||
SutProvider<OrganizationUsersController> sutProvider, Guid savingUserId)
|
||||
{
|
||||
sutProvider.GetDependency<IFeatureService>().IsEnabled(FeatureFlagKeys.FlexibleCollectionsV1).Returns(true);
|
||||
Put_Setup(sutProvider, organizationAbility, organizationUser, savingUserId, model, false);
|
||||
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||
.GetByIdWithCollectionsAsync(organizationUser.Id)
|
||||
.Returns(new Tuple<OrganizationUser, ICollection<CollectionAccessSelection>>(organizationUser,
|
||||
model.Collections.Select(cas => cas.ToSelectionReadOnly()).ToList()));
|
||||
var collections = model.Collections.Select(cas => new Collection { Id = cas.Id }).ToList();
|
||||
sutProvider.GetDependency<ICollectionRepository>()
|
||||
.GetManyByManyIdsAsync(Arg.Is<IEnumerable<Guid>>(guids => guids.SequenceEqual(collections.Select(c => c.Id))))
|
||||
.Returns(collections);
|
||||
|
||||
sutProvider.GetDependency<IAuthorizationService>()
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => collections.Contains(c)),
|
||||
Arg.Is<IEnumerable<IAuthorizationRequirement>>(reqs => reqs.Contains(BulkCollectionOperations.ModifyUserAccess)))
|
||||
.Returns(AuthorizationResult.Failed());
|
||||
|
||||
var exception = await Assert.ThrowsAsync<BadRequestException>(() => sutProvider.Sut.Put(organizationAbility.Id, organizationUser.Id, model));
|
||||
Assert.Contains("You must have Can Manage permission", exception.Message);
|
||||
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.Invite(organizationAbility.Id, model));
|
||||
}
|
||||
|
||||
[Theory]
|
||||
@ -536,36 +300,6 @@ public class OrganizationUsersControllerTests
|
||||
await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.GetAccountRecoveryDetails(organizationId, bulkRequestModel));
|
||||
}
|
||||
|
||||
private void Put_Setup(SutProvider<OrganizationUsersController> sutProvider, OrganizationAbility organizationAbility,
|
||||
OrganizationUser organizationUser, Guid savingUserId, OrganizationUserUpdateRequestModel model, bool authorizeAll)
|
||||
{
|
||||
var orgId = organizationAbility.Id = organizationUser.OrganizationId;
|
||||
|
||||
sutProvider.GetDependency<ICurrentContext>().ManageUsers(orgId).Returns(true);
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>().GetByIdAsync(organizationUser.Id).Returns(organizationUser);
|
||||
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(orgId)
|
||||
.Returns(organizationAbility);
|
||||
sutProvider.GetDependency<IUserService>().GetProperUserId(Arg.Any<ClaimsPrincipal>()).Returns(savingUserId);
|
||||
|
||||
if (authorizeAll)
|
||||
{
|
||||
// Simple case: saving user can edit all collections, all collection access is replaced
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||
.GetByIdWithCollectionsAsync(organizationUser.Id)
|
||||
.Returns(new Tuple<OrganizationUser, ICollection<CollectionAccessSelection>>(organizationUser,
|
||||
model.Collections.Select(cas => cas.ToSelectionReadOnly()).ToList()));
|
||||
var collections = model.Collections.Select(cas => new Collection { Id = cas.Id }).ToList();
|
||||
sutProvider.GetDependency<ICollectionRepository>()
|
||||
.GetManyByManyIdsAsync(Arg.Is<IEnumerable<Guid>>(guids => guids.SequenceEqual(collections.Select(c => c.Id))))
|
||||
.Returns(collections);
|
||||
|
||||
sutProvider.GetDependency<IAuthorizationService>()
|
||||
.AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Is<Collection>(c => collections.Contains(c)),
|
||||
Arg.Is<IEnumerable<IAuthorizationRequirement>>(r => r.Contains(BulkCollectionOperations.ModifyUserAccess)))
|
||||
.Returns(AuthorizationResult.Success());
|
||||
}
|
||||
}
|
||||
|
||||
private void Get_Setup(OrganizationAbility organizationAbility,
|
||||
ICollection<OrganizationUserUserDetails> organizationUsers,
|
||||
SutProvider<OrganizationUsersController> sutProvider)
|
||||
|
||||
@ -1,11 +1,14 @@
|
||||
using Bit.Core.AdminConsole.Entities;
|
||||
using Bit.Core.AdminConsole.OrganizationFeatures.Groups;
|
||||
using Bit.Core.AdminConsole.Repositories;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.Models.Data;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.Services;
|
||||
using Bit.Core.Test.AutoFixture.OrganizationFixtures;
|
||||
using Bit.Core.Utilities;
|
||||
using Bit.Test.Common.AutoFixture;
|
||||
using Bit.Test.Common.AutoFixture.Attributes;
|
||||
using Bit.Test.Common.Helpers;
|
||||
@ -18,10 +21,12 @@ namespace Bit.Core.Test.AdminConsole.OrganizationFeatures.Groups;
|
||||
public class UpdateGroupCommandTests
|
||||
{
|
||||
[Theory, OrganizationCustomize(UseGroups = true), BitAutoData]
|
||||
public async Task UpdateGroup_Success(SutProvider<UpdateGroupCommand> sutProvider, Group group, Organization organization)
|
||||
public async Task UpdateGroup_Success(SutProvider<UpdateGroupCommand> sutProvider, Group group, Group oldGroup,
|
||||
Organization organization)
|
||||
{
|
||||
// Deprecated with Flexible Collections
|
||||
group.AccessAll = false;
|
||||
ArrangeGroup(sutProvider, group, oldGroup);
|
||||
ArrangeUsers(sutProvider, group);
|
||||
ArrangeCollections(sutProvider, group);
|
||||
|
||||
await sutProvider.Sut.UpdateGroupAsync(group, organization);
|
||||
|
||||
@ -31,10 +36,12 @@ public class UpdateGroupCommandTests
|
||||
}
|
||||
|
||||
[Theory, OrganizationCustomize(UseGroups = true), BitAutoData]
|
||||
public async Task UpdateGroup_WithCollections_Success(SutProvider<UpdateGroupCommand> sutProvider, Group group, Organization organization, List<CollectionAccessSelection> collections)
|
||||
public async Task UpdateGroup_WithCollections_Success(SutProvider<UpdateGroupCommand> sutProvider, Group group,
|
||||
Group oldGroup, Organization organization, List<CollectionAccessSelection> collections)
|
||||
{
|
||||
// Deprecated with Flexible Collections
|
||||
group.AccessAll = false;
|
||||
ArrangeGroup(sutProvider, group, oldGroup);
|
||||
ArrangeUsers(sutProvider, group);
|
||||
ArrangeCollections(sutProvider, group);
|
||||
|
||||
// Arrange list of collections to make sure Manage is mutually exclusive
|
||||
for (var i = 0; i < collections.Count; i++)
|
||||
@ -53,10 +60,12 @@ public class UpdateGroupCommandTests
|
||||
}
|
||||
|
||||
[Theory, OrganizationCustomize(UseGroups = true), BitAutoData]
|
||||
public async Task UpdateGroup_WithEventSystemUser_Success(SutProvider<UpdateGroupCommand> sutProvider, Group group, Organization organization, EventSystemUser eventSystemUser)
|
||||
public async Task UpdateGroup_WithEventSystemUser_Success(SutProvider<UpdateGroupCommand> sutProvider, Group group,
|
||||
Group oldGroup, Organization organization, EventSystemUser eventSystemUser)
|
||||
{
|
||||
// Deprecated with Flexible Collections
|
||||
group.AccessAll = false;
|
||||
ArrangeGroup(sutProvider, group, oldGroup);
|
||||
ArrangeUsers(sutProvider, group);
|
||||
ArrangeCollections(sutProvider, group);
|
||||
|
||||
await sutProvider.Sut.UpdateGroupAsync(group, organization, eventSystemUser);
|
||||
|
||||
@ -66,19 +75,27 @@ public class UpdateGroupCommandTests
|
||||
}
|
||||
|
||||
[Theory, OrganizationCustomize(UseGroups = true), BitAutoData]
|
||||
public async Task UpdateGroup_WithNullOrganization_Throws(SutProvider<UpdateGroupCommand> sutProvider, Group group, EventSystemUser eventSystemUser)
|
||||
public async Task UpdateGroup_WithNullOrganization_Throws(SutProvider<UpdateGroupCommand> sutProvider, Group group,
|
||||
Group oldGroup, EventSystemUser eventSystemUser)
|
||||
{
|
||||
var exception = await Assert.ThrowsAsync<BadRequestException>(async () => await sutProvider.Sut.UpdateGroupAsync(group, null, eventSystemUser));
|
||||
ArrangeGroup(sutProvider, group, oldGroup);
|
||||
ArrangeUsers(sutProvider, group);
|
||||
ArrangeCollections(sutProvider, group);
|
||||
|
||||
Assert.Contains("Organization not found", exception.Message);
|
||||
await Assert.ThrowsAsync<NotFoundException>(async () => await sutProvider.Sut.UpdateGroupAsync(group, null, eventSystemUser));
|
||||
|
||||
await sutProvider.GetDependency<IGroupRepository>().DidNotReceiveWithAnyArgs().CreateAsync(default);
|
||||
await sutProvider.GetDependency<IEventService>().DidNotReceiveWithAnyArgs().LogGroupEventAsync(default, default, default);
|
||||
}
|
||||
|
||||
[Theory, OrganizationCustomize(UseGroups = false), BitAutoData]
|
||||
public async Task UpdateGroup_WithUseGroupsAsFalse_Throws(SutProvider<UpdateGroupCommand> sutProvider, Organization organization, Group group, EventSystemUser eventSystemUser)
|
||||
public async Task UpdateGroup_WithUseGroupsAsFalse_Throws(SutProvider<UpdateGroupCommand> sutProvider,
|
||||
Organization organization, Group group, Group oldGroup, EventSystemUser eventSystemUser)
|
||||
{
|
||||
ArrangeGroup(sutProvider, group, oldGroup);
|
||||
ArrangeUsers(sutProvider, group);
|
||||
ArrangeCollections(sutProvider, group);
|
||||
|
||||
var exception = await Assert.ThrowsAsync<BadRequestException>(async () => await sutProvider.Sut.UpdateGroupAsync(group, organization, eventSystemUser));
|
||||
|
||||
Assert.Contains("This organization cannot use groups", exception.Message);
|
||||
@ -89,8 +106,12 @@ public class UpdateGroupCommandTests
|
||||
|
||||
[Theory, OrganizationCustomize(UseGroups = true), BitAutoData]
|
||||
public async Task UpdateGroup_WithAccessAll_Throws(
|
||||
SutProvider<UpdateGroupCommand> sutProvider, Organization organization, Group group)
|
||||
SutProvider<UpdateGroupCommand> sutProvider, Organization organization, Group group, Group oldGroup)
|
||||
{
|
||||
ArrangeGroup(sutProvider, group, oldGroup);
|
||||
ArrangeUsers(sutProvider, group);
|
||||
ArrangeCollections(sutProvider, group);
|
||||
|
||||
group.AccessAll = true;
|
||||
|
||||
var exception =
|
||||
@ -100,4 +121,123 @@ public class UpdateGroupCommandTests
|
||||
await sutProvider.GetDependency<IGroupRepository>().DidNotReceiveWithAnyArgs().CreateAsync(default);
|
||||
await sutProvider.GetDependency<IEventService>().DidNotReceiveWithAnyArgs().LogGroupEventAsync(default, default, default);
|
||||
}
|
||||
|
||||
|
||||
[Theory, OrganizationCustomize(UseGroups = true, FlexibleCollections = true), BitAutoData]
|
||||
public async Task UpdateGroup_GroupBelongsToDifferentOrganization_Throws(SutProvider<UpdateGroupCommand> sutProvider,
|
||||
Group group, Group oldGroup, Organization organization)
|
||||
{
|
||||
group.AccessAll = false;
|
||||
ArrangeGroup(sutProvider, group, oldGroup);
|
||||
ArrangeUsers(sutProvider, group);
|
||||
ArrangeCollections(sutProvider, group);
|
||||
|
||||
// Mismatching orgId
|
||||
oldGroup.OrganizationId = CoreHelpers.GenerateComb();
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(() => sutProvider.Sut.UpdateGroupAsync(group, organization));
|
||||
}
|
||||
|
||||
[Theory, OrganizationCustomize(UseGroups = true, FlexibleCollections = true), BitAutoData]
|
||||
public async Task UpdateGroup_CollectionsBelongsToDifferentOrganization_Throws(SutProvider<UpdateGroupCommand> sutProvider,
|
||||
Group group, Group oldGroup, Organization organization, List<CollectionAccessSelection> collectionAccess)
|
||||
{
|
||||
group.AccessAll = false;
|
||||
ArrangeGroup(sutProvider, group, oldGroup);
|
||||
ArrangeUsers(sutProvider, group);
|
||||
|
||||
sutProvider.GetDependency<ICollectionRepository>()
|
||||
.GetManyByManyIdsAsync(Arg.Any<IEnumerable<Guid>>())
|
||||
.Returns(callInfo => callInfo.Arg<IEnumerable<Guid>>()
|
||||
.Select(guid => new Collection { Id = guid, OrganizationId = CoreHelpers.GenerateComb() }).ToList());
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(
|
||||
() => sutProvider.Sut.UpdateGroupAsync(group, organization, collectionAccess));
|
||||
}
|
||||
|
||||
[Theory, OrganizationCustomize(UseGroups = true, FlexibleCollections = true), BitAutoData]
|
||||
public async Task UpdateGroup_CollectionsDoNotExist_Throws(SutProvider<UpdateGroupCommand> sutProvider,
|
||||
Group group, Group oldGroup, Organization organization, List<CollectionAccessSelection> collectionAccess)
|
||||
{
|
||||
group.AccessAll = false;
|
||||
ArrangeGroup(sutProvider, group, oldGroup);
|
||||
ArrangeUsers(sutProvider, group);
|
||||
|
||||
// Return result is missing a collection
|
||||
sutProvider.GetDependency<ICollectionRepository>()
|
||||
.GetManyByManyIdsAsync(Arg.Any<IEnumerable<Guid>>())
|
||||
.Returns(callInfo =>
|
||||
{
|
||||
var result = callInfo.Arg<IEnumerable<Guid>>()
|
||||
.Select(guid => new Collection { Id = guid, OrganizationId = group.OrganizationId }).ToList();
|
||||
result.RemoveAt(0);
|
||||
return result;
|
||||
});
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(
|
||||
() => sutProvider.Sut.UpdateGroupAsync(group, organization, collectionAccess));
|
||||
}
|
||||
|
||||
[Theory, OrganizationCustomize(UseGroups = true, FlexibleCollections = true), BitAutoData]
|
||||
public async Task UpdateGroup_MemberBelongsToDifferentOrganization_Throws(SutProvider<UpdateGroupCommand> sutProvider,
|
||||
Group group, Group oldGroup, Organization organization, IEnumerable<Guid> userAccess)
|
||||
{
|
||||
group.AccessAll = false;
|
||||
ArrangeGroup(sutProvider, group, oldGroup);
|
||||
ArrangeCollections(sutProvider, group);
|
||||
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||
.GetManyAsync(Arg.Any<IEnumerable<Guid>>())
|
||||
.Returns(callInfo => callInfo.Arg<IEnumerable<Guid>>()
|
||||
.Select(guid => new OrganizationUser { Id = guid, OrganizationId = CoreHelpers.GenerateComb() }).ToList());
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(
|
||||
() => sutProvider.Sut.UpdateGroupAsync(group, organization, null, userAccess));
|
||||
}
|
||||
|
||||
[Theory, OrganizationCustomize(UseGroups = true, FlexibleCollections = true), BitAutoData]
|
||||
public async Task UpdateGroup_MemberDoesNotExist_Throws(SutProvider<UpdateGroupCommand> sutProvider,
|
||||
Group group, Group oldGroup, Organization organization, IEnumerable<Guid> userAccess)
|
||||
{
|
||||
ArrangeGroup(sutProvider, group, oldGroup);
|
||||
ArrangeCollections(sutProvider, group);
|
||||
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||
.GetManyAsync(Arg.Any<IEnumerable<Guid>>())
|
||||
.Returns(callInfo =>
|
||||
{
|
||||
var result = callInfo.Arg<IEnumerable<Guid>>()
|
||||
.Select(guid => new OrganizationUser { Id = guid, OrganizationId = group.OrganizationId })
|
||||
.ToList();
|
||||
result.RemoveAt(0);
|
||||
return result;
|
||||
});
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(
|
||||
() => sutProvider.Sut.UpdateGroupAsync(group, organization, null, userAccess));
|
||||
}
|
||||
|
||||
private void ArrangeGroup(SutProvider<UpdateGroupCommand> sutProvider, Group group, Group oldGroup)
|
||||
{
|
||||
group.AccessAll = false;
|
||||
oldGroup.OrganizationId = group.OrganizationId;
|
||||
oldGroup.Id = group.Id;
|
||||
sutProvider.GetDependency<IGroupRepository>().GetByIdAsync(group.Id).Returns(oldGroup);
|
||||
}
|
||||
|
||||
private void ArrangeCollections(SutProvider<UpdateGroupCommand> sutProvider, Group group)
|
||||
{
|
||||
sutProvider.GetDependency<ICollectionRepository>()
|
||||
.GetManyByManyIdsAsync(Arg.Any<IEnumerable<Guid>>())
|
||||
.Returns(callInfo => callInfo.Arg<IEnumerable<Guid>>()
|
||||
.Select(guid => new Collection() { Id = guid, OrganizationId = group.OrganizationId }).ToList());
|
||||
}
|
||||
|
||||
private void ArrangeUsers(SutProvider<UpdateGroupCommand> sutProvider, Group group)
|
||||
{
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>()
|
||||
.GetManyAsync(Arg.Any<IEnumerable<Guid>>())
|
||||
.Returns(callInfo => callInfo.Arg<IEnumerable<Guid>>()
|
||||
.Select(guid => new OrganizationUser { Id = guid, OrganizationId = group.OrganizationId }).ToList());
|
||||
}
|
||||
}
|
||||
|
||||
@ -1,6 +1,7 @@
|
||||
using System.Text.Json;
|
||||
using Bit.Core.AdminConsole.Entities;
|
||||
using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
|
||||
using Bit.Core.AdminConsole.Repositories;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Exceptions;
|
||||
@ -21,7 +22,7 @@ public class UpdateOrganizationUserCommandTests
|
||||
{
|
||||
[Theory, BitAutoData]
|
||||
public async Task UpdateUserAsync_NoUserId_Throws(OrganizationUser user, Guid? savingUserId,
|
||||
List<CollectionAccessSelection> collections, IEnumerable<Guid> groups, SutProvider<UpdateOrganizationUserCommand> sutProvider)
|
||||
List<CollectionAccessSelection> collections, List<Guid> groups, SutProvider<UpdateOrganizationUserCommand> sutProvider)
|
||||
{
|
||||
user.Id = default(Guid);
|
||||
var exception = await Assert.ThrowsAsync<BadRequestException>(
|
||||
@ -29,22 +30,106 @@ public class UpdateOrganizationUserCommandTests
|
||||
Assert.Contains("invite the user first", exception.Message.ToLowerInvariant());
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
public async Task UpdateUserAsync_DifferentOrganizationId_Throws(OrganizationUser user, OrganizationUser originalUser,
|
||||
Guid? savingUserId, SutProvider<UpdateOrganizationUserCommand> sutProvider)
|
||||
{
|
||||
sutProvider.GetDependency<IOrganizationUserRepository>().GetByIdAsync(user.Id).Returns(originalUser);
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(
|
||||
() => sutProvider.Sut.UpdateUserAsync(user, savingUserId, null, null));
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
public async Task UpdateUserAsync_CollectionsBelongToDifferentOrganization_Throws(OrganizationUser user, OrganizationUser originalUser,
|
||||
List<CollectionAccessSelection> collectionAccess, Guid? savingUserId, SutProvider<UpdateOrganizationUserCommand> sutProvider,
|
||||
Organization organization)
|
||||
{
|
||||
Setup(sutProvider, organization, user, originalUser);
|
||||
|
||||
// Return collections with different organizationIds from the repository
|
||||
sutProvider.GetDependency<ICollectionRepository>()
|
||||
.GetManyByManyIdsAsync(Arg.Any<IEnumerable<Guid>>())
|
||||
.Returns(callInfo => callInfo.Arg<IEnumerable<Guid>>()
|
||||
.Select(guid => new Collection { Id = guid, OrganizationId = CoreHelpers.GenerateComb() }).ToList());
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(
|
||||
() => sutProvider.Sut.UpdateUserAsync(user, savingUserId, collectionAccess, null));
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
public async Task UpdateUserAsync_CollectionsDoNotExist_Throws(OrganizationUser user, OrganizationUser originalUser,
|
||||
List<CollectionAccessSelection> collectionAccess, Guid? savingUserId, SutProvider<UpdateOrganizationUserCommand> sutProvider,
|
||||
Organization organization)
|
||||
{
|
||||
Setup(sutProvider, organization, user, originalUser);
|
||||
|
||||
// Return matching collections, except that 1 is missing
|
||||
sutProvider.GetDependency<ICollectionRepository>()
|
||||
.GetManyByManyIdsAsync(Arg.Any<IEnumerable<Guid>>())
|
||||
.Returns(callInfo =>
|
||||
{
|
||||
var result = callInfo.Arg<IEnumerable<Guid>>()
|
||||
.Select(guid => new Collection { Id = guid, OrganizationId = user.OrganizationId }).ToList();
|
||||
result.RemoveAt(0);
|
||||
return result;
|
||||
});
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(
|
||||
() => sutProvider.Sut.UpdateUserAsync(user, savingUserId, collectionAccess, null));
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
public async Task UpdateUserAsync_GroupsBelongToDifferentOrganization_Throws(OrganizationUser user, OrganizationUser originalUser,
|
||||
ICollection<Guid> groupAccess, Guid? savingUserId, SutProvider<UpdateOrganizationUserCommand> sutProvider,
|
||||
Organization organization)
|
||||
{
|
||||
Setup(sutProvider, organization, user, originalUser);
|
||||
|
||||
// Return collections with different organizationIds from the repository
|
||||
sutProvider.GetDependency<IGroupRepository>()
|
||||
.GetManyByManyIds(Arg.Any<IEnumerable<Guid>>())
|
||||
.Returns(callInfo => callInfo.Arg<IEnumerable<Guid>>()
|
||||
.Select(guid => new Group { Id = guid, OrganizationId = CoreHelpers.GenerateComb() }).ToList());
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(
|
||||
() => sutProvider.Sut.UpdateUserAsync(user, savingUserId, null, groupAccess));
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
public async Task UpdateUserAsync_GroupsDoNotExist_Throws(OrganizationUser user, OrganizationUser originalUser,
|
||||
ICollection<Guid> groupAccess, Guid? savingUserId, SutProvider<UpdateOrganizationUserCommand> sutProvider,
|
||||
Organization organization)
|
||||
{
|
||||
Setup(sutProvider, organization, user, originalUser);
|
||||
|
||||
// Return matching collections, except that 1 is missing
|
||||
sutProvider.GetDependency<IGroupRepository>()
|
||||
.GetManyByManyIds(Arg.Any<IEnumerable<Guid>>())
|
||||
.Returns(callInfo =>
|
||||
{
|
||||
var result = callInfo.Arg<IEnumerable<Guid>>()
|
||||
.Select(guid => new Group { Id = guid, OrganizationId = CoreHelpers.GenerateComb() }).ToList();
|
||||
result.RemoveAt(0);
|
||||
return result;
|
||||
});
|
||||
|
||||
await Assert.ThrowsAsync<NotFoundException>(
|
||||
() => sutProvider.Sut.UpdateUserAsync(user, savingUserId, null, groupAccess));
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
public async Task UpdateUserAsync_Passes(
|
||||
Organization organization,
|
||||
OrganizationUser oldUserData,
|
||||
OrganizationUser newUserData,
|
||||
List<CollectionAccessSelection> collections,
|
||||
IEnumerable<Guid> groups,
|
||||
List<Guid> groups,
|
||||
Permissions permissions,
|
||||
[OrganizationUser(type: OrganizationUserType.Owner)] OrganizationUser savingUser,
|
||||
SutProvider<UpdateOrganizationUserCommand> sutProvider)
|
||||
{
|
||||
var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
|
||||
var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
|
||||
var organizationService = sutProvider.GetDependency<IOrganizationService>();
|
||||
|
||||
organizationRepository.GetByIdAsync(organization.Id).Returns(organization);
|
||||
Setup(sutProvider, organization, newUserData, oldUserData);
|
||||
|
||||
// Deprecated with Flexible Collections
|
||||
oldUserData.AccessAll = false;
|
||||
@ -66,17 +151,20 @@ public class UpdateOrganizationUserCommandTests
|
||||
{
|
||||
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
|
||||
});
|
||||
organizationUserRepository.GetByIdAsync(oldUserData.Id).Returns(oldUserData);
|
||||
organizationUserRepository.GetManyByOrganizationAsync(savingUser.OrganizationId, OrganizationUserType.Owner)
|
||||
.Returns(new List<OrganizationUser> { savingUser });
|
||||
organizationService
|
||||
.HasConfirmedOwnersExceptAsync(
|
||||
newUserData.OrganizationId,
|
||||
Arg.Is<IEnumerable<Guid>>(i => i.Contains(newUserData.Id)))
|
||||
.Returns(true);
|
||||
|
||||
sutProvider.GetDependency<ICollectionRepository>()
|
||||
.GetManyByManyIdsAsync(Arg.Any<IEnumerable<Guid>>())
|
||||
.Returns(callInfo => callInfo.Arg<IEnumerable<Guid>>()
|
||||
.Select(guid => new Collection { Id = guid, OrganizationId = oldUserData.OrganizationId }).ToList());
|
||||
|
||||
sutProvider.GetDependency<IGroupRepository>()
|
||||
.GetManyByManyIds(Arg.Any<IEnumerable<Guid>>())
|
||||
.Returns(callInfo => callInfo.Arg<IEnumerable<Guid>>()
|
||||
.Select(guid => new Group { Id = guid, OrganizationId = oldUserData.OrganizationId }).ToList());
|
||||
|
||||
await sutProvider.Sut.UpdateUserAsync(newUserData, savingUser.UserId, collections, groups);
|
||||
|
||||
var organizationService = sutProvider.GetDependency<IOrganizationService>();
|
||||
await organizationService.Received(1).ValidateOrganizationUserUpdatePermissions(
|
||||
newUserData.OrganizationId,
|
||||
newUserData.Type,
|
||||
@ -97,7 +185,7 @@ public class UpdateOrganizationUserCommandTests
|
||||
[OrganizationUser(type: OrganizationUserType.User)] OrganizationUser newUserData,
|
||||
[OrganizationUser(type: OrganizationUserType.Owner, status: OrganizationUserStatusType.Confirmed)] OrganizationUser savingUser,
|
||||
List<CollectionAccessSelection> collections,
|
||||
IEnumerable<Guid> groups,
|
||||
List<Guid> groups,
|
||||
SutProvider<UpdateOrganizationUserCommand> sutProvider)
|
||||
{
|
||||
newUserData.Id = oldUserData.Id;
|
||||
@ -106,6 +194,16 @@ public class UpdateOrganizationUserCommandTests
|
||||
newUserData.Permissions = CoreHelpers.ClassToJsonData(new Permissions());
|
||||
newUserData.AccessAll = true;
|
||||
|
||||
sutProvider.GetDependency<ICollectionRepository>()
|
||||
.GetManyByManyIdsAsync(Arg.Any<IEnumerable<Guid>>())
|
||||
.Returns(callInfo => callInfo.Arg<IEnumerable<Guid>>()
|
||||
.Select(guid => new Collection { Id = guid, OrganizationId = oldUserData.OrganizationId }).ToList());
|
||||
|
||||
sutProvider.GetDependency<IGroupRepository>()
|
||||
.GetManyByManyIds(Arg.Any<IEnumerable<Guid>>())
|
||||
.Returns(callInfo => callInfo.Arg<IEnumerable<Guid>>()
|
||||
.Select(guid => new Group { Id = guid, OrganizationId = oldUserData.OrganizationId }).ToList());
|
||||
|
||||
sutProvider.GetDependency<IOrganizationRepository>()
|
||||
.GetByIdAsync(organization.Id)
|
||||
.Returns(organization);
|
||||
@ -129,4 +227,24 @@ public class UpdateOrganizationUserCommandTests
|
||||
|
||||
Assert.Contains("the accessall property has been deprecated", exception.Message.ToLowerInvariant());
|
||||
}
|
||||
|
||||
private void Setup(SutProvider<UpdateOrganizationUserCommand> sutProvider, Organization organization,
|
||||
OrganizationUser newUser, OrganizationUser oldUser)
|
||||
{
|
||||
var organizationRepository = sutProvider.GetDependency<IOrganizationRepository>();
|
||||
var organizationUserRepository = sutProvider.GetDependency<IOrganizationUserRepository>();
|
||||
var organizationService = sutProvider.GetDependency<IOrganizationService>();
|
||||
|
||||
organizationRepository.GetByIdAsync(organization.Id).Returns(organization);
|
||||
|
||||
newUser.Id = oldUser.Id;
|
||||
newUser.UserId = oldUser.UserId;
|
||||
newUser.OrganizationId = oldUser.OrganizationId = organization.Id;
|
||||
organizationUserRepository.GetByIdAsync(oldUser.Id).Returns(oldUser);
|
||||
organizationService
|
||||
.HasConfirmedOwnersExceptAsync(
|
||||
oldUser.OrganizationId,
|
||||
Arg.Is<IEnumerable<Guid>>(i => i.Contains(oldUser.Id)))
|
||||
.Returns(true);
|
||||
}
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user