using System.Security.Claims; using Bit.Api.SecretsManager.Controllers; using Bit.Api.SecretsManager.Models.Request; using Bit.Api.Test.SecretsManager.Enums; using Bit.Core.Context; using Bit.Core.Enums; using Bit.Core.Exceptions; using Bit.Core.SecretsManager.Commands.Projects.Interfaces; using Bit.Core.SecretsManager.Entities; using Bit.Core.SecretsManager.Models.Data; using Bit.Core.SecretsManager.Queries.Projects.Interfaces; using Bit.Core.SecretsManager.Repositories; using Bit.Core.Services; using Bit.Core.Test.SecretsManager.AutoFixture.ProjectsFixture; using Bit.Test.Common.AutoFixture; using Bit.Test.Common.AutoFixture.Attributes; using Bit.Test.Common.Helpers; using Microsoft.AspNetCore.Authorization; using NSubstitute; using Xunit; namespace Bit.Api.Test.SecretsManager.Controllers; [ControllerCustomize(typeof(ProjectsController))] [SutProviderCustomize] [ProjectCustomize] [JsonDocumentCustomize] public class ProjectsControllerTests { private static void SetupAdmin(SutProvider sutProvider, Guid organizationId) { sutProvider.GetDependency().AccessSecretsManager(default).ReturnsForAnyArgs(true); sutProvider.GetDependency().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid()); sutProvider.GetDependency().OrganizationAdmin(organizationId).Returns(true); } private static void SetupUserWithPermission(SutProvider sutProvider, Guid organizationId) { sutProvider.GetDependency().AccessSecretsManager(default).ReturnsForAnyArgs(true); sutProvider.GetDependency().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid()); sutProvider.GetDependency().OrganizationAdmin(organizationId).Returns(false); sutProvider.GetDependency().OrganizationUser(default).ReturnsForAnyArgs(true); } [Theory] [BitAutoData] public async Task ListByOrganization_SmAccessDenied_Throws(SutProvider sutProvider, Guid data) { sutProvider.GetDependency().AccessSecretsManager(data).Returns(false); await Assert.ThrowsAsync(() => sutProvider.Sut.ListByOrganizationAsync(data)); } [Theory] [BitAutoData(PermissionType.RunAsAdmin)] [BitAutoData(PermissionType.RunAsUserWithPermission)] public async Task ListByOrganization_ReturnsEmptyList(PermissionType permissionType, SutProvider sutProvider, Guid data) { switch (permissionType) { case PermissionType.RunAsAdmin: SetupAdmin(sutProvider, data); break; case PermissionType.RunAsUserWithPermission: SetupUserWithPermission(sutProvider, data); break; } var result = await sutProvider.Sut.ListByOrganizationAsync(data); await sutProvider.GetDependency().Received(1) .GetManyByOrganizationIdAsync(Arg.Is(AssertHelper.AssertPropertyEqual(data)), Arg.Any(), Arg.Any()); Assert.Empty(result.Data); } [Theory] [BitAutoData(PermissionType.RunAsAdmin)] [BitAutoData(PermissionType.RunAsUserWithPermission)] public async Task ListByOrganization_Success(PermissionType permissionType, SutProvider sutProvider, Guid data, Project mockProject) { switch (permissionType) { case PermissionType.RunAsAdmin: SetupAdmin(sutProvider, data); break; case PermissionType.RunAsUserWithPermission: SetupUserWithPermission(sutProvider, data); break; } sutProvider.GetDependency().GetManyByOrganizationIdAsync(default, default, default) .ReturnsForAnyArgs(new List { new() { Project = mockProject, Read = true, Write = true } }); var result = await sutProvider.Sut.ListByOrganizationAsync(data); await sutProvider.GetDependency().Received(1) .GetManyByOrganizationIdAsync(Arg.Is(AssertHelper.AssertPropertyEqual(data)), Arg.Any(), Arg.Any()); Assert.NotEmpty(result.Data); Assert.Single(result.Data); } [Theory] [BitAutoData] public async Task Create_NoAccess_Throws(SutProvider sutProvider, Guid orgId, ProjectCreateRequestModel data) { sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), data.ToProject(orgId), Arg.Any>()).ReturnsForAnyArgs(AuthorizationResult.Failed()); sutProvider.GetDependency().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid()); var resultProject = data.ToProject(orgId); sutProvider.GetDependency().CreateAsync(default, default, sutProvider.GetDependency().IdentityClientType) .ReturnsForAnyArgs(resultProject); await Assert.ThrowsAsync(() => sutProvider.Sut.CreateAsync(orgId, data)); await sutProvider.GetDependency().DidNotReceiveWithAnyArgs() .CreateAsync(Arg.Any(), Arg.Any(), sutProvider.GetDependency().IdentityClientType); } [Theory] [BitAutoData] public async Task Create_AtMaxProjects_Throws(SutProvider sutProvider, Guid orgId, ProjectCreateRequestModel data) { sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), data.ToProject(orgId), Arg.Any>()).ReturnsForAnyArgs(AuthorizationResult.Success()); sutProvider.GetDependency().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid()); sutProvider.GetDependency().GetByOrgIdAsync(orgId, 1).Returns(((short)3, true)); await Assert.ThrowsAsync(() => sutProvider.Sut.CreateAsync(orgId, data)); await sutProvider.GetDependency().DidNotReceiveWithAnyArgs() .CreateAsync(Arg.Any(), Arg.Any(), sutProvider.GetDependency().IdentityClientType); } [Theory] [BitAutoData] public async Task Create_Success(SutProvider sutProvider, Guid orgId, ProjectCreateRequestModel data) { sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), data.ToProject(orgId), Arg.Any>()).ReturnsForAnyArgs(AuthorizationResult.Success()); sutProvider.GetDependency().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid()); var resultProject = data.ToProject(orgId); sutProvider.GetDependency().CreateAsync(default, default, sutProvider.GetDependency().IdentityClientType) .ReturnsForAnyArgs(resultProject); await sutProvider.Sut.CreateAsync(orgId, data); await sutProvider.GetDependency().Received(1) .CreateAsync(Arg.Any(), Arg.Any(), sutProvider.GetDependency().IdentityClientType); } [Theory] [BitAutoData] public async Task Update_NoAccess_Throws(SutProvider sutProvider, Guid userId, ProjectUpdateRequestModel data, Project existingProject) { sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), data.ToProject(existingProject.Id), Arg.Any>()).ReturnsForAnyArgs(AuthorizationResult.Failed()); sutProvider.GetDependency().GetByIdAsync(existingProject.Id).ReturnsForAnyArgs(existingProject); sutProvider.GetDependency().GetProperUserId(default).ReturnsForAnyArgs(userId); var resultProject = data.ToProject(existingProject.Id); sutProvider.GetDependency().UpdateAsync(default) .ReturnsForAnyArgs(resultProject); await Assert.ThrowsAsync(() => sutProvider.Sut.UpdateAsync(existingProject.Id, data)); await sutProvider.GetDependency().DidNotReceiveWithAnyArgs() .UpdateAsync(Arg.Any()); } [Theory] [BitAutoData] public async Task Update_Success(SutProvider sutProvider, Guid userId, ProjectUpdateRequestModel data, Project existingProject) { sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), data.ToProject(existingProject.Id), Arg.Any>()).ReturnsForAnyArgs(AuthorizationResult.Success()); sutProvider.GetDependency().GetByIdAsync(existingProject.Id).ReturnsForAnyArgs(existingProject); sutProvider.GetDependency().GetProperUserId(default).ReturnsForAnyArgs(userId); var resultProject = data.ToProject(existingProject.Id); sutProvider.GetDependency().UpdateAsync(default) .ReturnsForAnyArgs(resultProject); await sutProvider.Sut.UpdateAsync(existingProject.Id, data); await sutProvider.GetDependency().Received(1) .UpdateAsync(Arg.Any()); } [Theory] [BitAutoData] public async Task Get_SmAccessDenied_Throws(SutProvider sutProvider, Guid data, Guid orgId) { SetupAdmin(sutProvider, orgId); sutProvider.GetDependency().AccessSecretsManager(orgId).Returns(false); await Assert.ThrowsAsync(() => sutProvider.Sut.GetAsync(data)); } [Theory] [BitAutoData] public async Task Get_ThrowsNotFound(SutProvider sutProvider, Guid data, Guid orgId) { SetupAdmin(sutProvider, orgId); await Assert.ThrowsAsync(() => sutProvider.Sut.GetAsync(data)); } [Theory] [BitAutoData(PermissionType.RunAsAdmin)] [BitAutoData(PermissionType.RunAsUserWithPermission)] public async Task Get_Success(PermissionType permissionType, SutProvider sutProvider, Guid orgId, Guid data) { switch (permissionType) { case PermissionType.RunAsAdmin: SetupAdmin(sutProvider, orgId); break; case PermissionType.RunAsUserWithPermission: SetupUserWithPermission(sutProvider, orgId); sutProvider.GetDependency().AccessToProjectAsync(default, default, default) .Returns((true, true)); break; } sutProvider.GetDependency().GetByIdAsync(Arg.Is(data)) .ReturnsForAnyArgs(new Project { Id = data, OrganizationId = orgId }); sutProvider.GetDependency().AccessToProjectAsync(default, default, default) .ReturnsForAnyArgs((true, false)); await sutProvider.Sut.GetAsync(data); await sutProvider.GetDependency().Received(1) .GetByIdAsync(Arg.Is(data)); } [Theory] [BitAutoData] public async Task Get_UserWithoutPermission_Throws(SutProvider sutProvider, Guid orgId, Guid data) { SetupUserWithPermission(sutProvider, orgId); sutProvider.GetDependency().AccessToProjectAsync(default, default, default) .Returns((false, false)); sutProvider.GetDependency().GetByIdAsync(Arg.Is(data)) .ReturnsForAnyArgs(new Project { Id = data, OrganizationId = orgId }); await Assert.ThrowsAsync(() => sutProvider.Sut.GetAsync(data)); } [Theory] [BitAutoData] public async Task BulkDeleteProjects_NoProjectsFound_ThrowsNotFound( SutProvider sutProvider, List data) { var ids = data.Select(project => project.Id).ToList(); sutProvider.GetDependency().GetManyWithSecretsByIds(Arg.Is(ids)).ReturnsForAnyArgs(new List()); await Assert.ThrowsAsync(() => sutProvider.Sut.BulkDeleteAsync(ids)); } [Theory] [BitAutoData] public async Task BulkDeleteProjects_ProjectsFoundMisMatch_ThrowsNotFound( SutProvider sutProvider, List data, Project mockProject) { data.Add(mockProject); var ids = data.Select(project => project.Id).ToList(); sutProvider.GetDependency().GetManyWithSecretsByIds(Arg.Is(ids)).ReturnsForAnyArgs(new List { mockProject }); await Assert.ThrowsAsync(() => sutProvider.Sut.BulkDeleteAsync(ids)); } [Theory] [BitAutoData] public async Task BulkDeleteProjects_OrganizationMistMatch_ThrowsNotFound( SutProvider sutProvider, List data) { var ids = data.Select(project => project.Id).ToList(); sutProvider.GetDependency().GetManyWithSecretsByIds(Arg.Is(ids)).ReturnsForAnyArgs(data); await Assert.ThrowsAsync(() => sutProvider.Sut.BulkDeleteAsync(ids)); } [Theory] [BitAutoData] public async Task BulkDeleteProjects_NoAccessToSecretsManager_ThrowsNotFound( SutProvider sutProvider, List data) { var ids = data.Select(project => project.Id).ToList(); var organizationId = data.First().OrganizationId; foreach (var project in data) { project.OrganizationId = organizationId; } sutProvider.GetDependency().AccessSecretsManager(Arg.Is(organizationId)).ReturnsForAnyArgs(false); sutProvider.GetDependency().GetManyWithSecretsByIds(Arg.Is(ids)).ReturnsForAnyArgs(data); await Assert.ThrowsAsync(() => sutProvider.Sut.BulkDeleteAsync(ids)); } [Theory] [BitAutoData] public async Task BulkDeleteProjects_ReturnsAccessDeniedForProjectsWithoutAccess_Success( SutProvider sutProvider, List data) { var ids = data.Select(project => project.Id).ToList(); var organizationId = data.First().OrganizationId; foreach (var project in data) { project.OrganizationId = organizationId; sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), project, Arg.Any>()).ReturnsForAnyArgs(AuthorizationResult.Success()); } sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), data.First(), Arg.Any>()).Returns(AuthorizationResult.Failed()); sutProvider.GetDependency().AccessSecretsManager(Arg.Is(organizationId)).ReturnsForAnyArgs(true); sutProvider.GetDependency().GetManyWithSecretsByIds(Arg.Is(ids)).ReturnsForAnyArgs(data); var results = await sutProvider.Sut.BulkDeleteAsync(ids); Assert.Equal(data.Count, results.Data.Count()); Assert.Equal("access denied", results.Data.First().Error); data.Remove(data.First()); await sutProvider.GetDependency().Received(1) .DeleteProjects(Arg.Is(AssertHelper.AssertPropertyEqual(data))); } [Theory] [BitAutoData] public async Task BulkDeleteProjects_Success(SutProvider sutProvider, List data) { var ids = data.Select(project => project.Id).ToList(); var organizationId = data.First().OrganizationId; foreach (var project in data) { project.OrganizationId = organizationId; sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), project, Arg.Any>()).ReturnsForAnyArgs(AuthorizationResult.Success()); } sutProvider.GetDependency().GetManyWithSecretsByIds(Arg.Is(ids)).ReturnsForAnyArgs(data); sutProvider.GetDependency().AccessSecretsManager(Arg.Is(organizationId)).ReturnsForAnyArgs(true); var results = await sutProvider.Sut.BulkDeleteAsync(ids); await sutProvider.GetDependency().Received(1) .DeleteProjects(Arg.Is(AssertHelper.AssertPropertyEqual(data))); Assert.Equal(data.Count, results.Data.Count()); foreach (var result in results.Data) { Assert.Null(result.Error); } } }