using System.Security.Claims; using Bit.Api.SecretsManager.Controllers; using Bit.Api.SecretsManager.Models.Request; using Bit.Core.Context; using Bit.Core.Enums; using Bit.Core.Exceptions; using Bit.Core.SecretsManager.Commands.AccessTokens.Interfaces; using Bit.Core.SecretsManager.Commands.ServiceAccounts.Interfaces; using Bit.Core.SecretsManager.Entities; using Bit.Core.SecretsManager.Repositories; using Bit.Core.Services; using Bit.Test.Common.AutoFixture; using Bit.Test.Common.AutoFixture.Attributes; using Bit.Test.Common.Helpers; using Microsoft.AspNetCore.Authorization; using NSubstitute; using NSubstitute.ReturnsExtensions; using Xunit; namespace Bit.Api.Test.SecretsManager.Controllers; [ControllerCustomize(typeof(ServiceAccountsController))] [SutProviderCustomize] [JsonDocumentCustomize] public class ServiceAccountsControllerTests { [Theory] [BitAutoData] public async void GetServiceAccountsByOrganization_ReturnsEmptyList(SutProvider sutProvider, Guid id) { sutProvider.GetDependency().AccessSecretsManager(id).Returns(true); sutProvider.GetDependency().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid()); var result = await sutProvider.Sut.ListByOrganizationAsync(id); await sutProvider.GetDependency().Received(1) .GetManyByOrganizationIdAsync(Arg.Is(AssertHelper.AssertPropertyEqual(id)), Arg.Any(), Arg.Any()); Assert.Empty(result.Data); } [Theory] [BitAutoData] public async void GetServiceAccountsByOrganization_Success(SutProvider sutProvider, ServiceAccount resultServiceAccount) { sutProvider.GetDependency().AccessSecretsManager(default).ReturnsForAnyArgs(true); sutProvider.GetDependency().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid()); sutProvider.GetDependency().GetManyByOrganizationIdAsync(default, default, default).ReturnsForAnyArgs(new List() { resultServiceAccount }); var result = await sutProvider.Sut.ListByOrganizationAsync(resultServiceAccount.OrganizationId); await sutProvider.GetDependency().Received(1) .GetManyByOrganizationIdAsync(Arg.Is(AssertHelper.AssertPropertyEqual(resultServiceAccount.OrganizationId)), Arg.Any(), Arg.Any()); Assert.NotEmpty(result.Data); Assert.Single(result.Data); } [Theory] [BitAutoData] public async void GetServiceAccountsByOrganization_AccessDenied_Throws(SutProvider sutProvider, Guid orgId) { sutProvider.GetDependency().AccessSecretsManager(default).ReturnsForAnyArgs(false); await Assert.ThrowsAsync(() => sutProvider.Sut.ListByOrganizationAsync(orgId)); } [Theory] [BitAutoData] public async void CreateServiceAccount_NoAccess_Throws(SutProvider sutProvider, ServiceAccountCreateRequestModel data, Guid organizationId) { sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), data.ToServiceAccount(organizationId), Arg.Any>()).ReturnsForAnyArgs(AuthorizationResult.Failed()); sutProvider.GetDependency().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid()); var resultServiceAccount = data.ToServiceAccount(organizationId); sutProvider.GetDependency().CreateAsync(default, default).ReturnsForAnyArgs(resultServiceAccount); await Assert.ThrowsAsync(() => sutProvider.Sut.CreateAsync(organizationId, data)); await sutProvider.GetDependency().DidNotReceiveWithAnyArgs() .CreateAsync(Arg.Any(), Arg.Any()); } [Theory] [BitAutoData] public async void CreateServiceAccount_Success(SutProvider sutProvider, ServiceAccountCreateRequestModel data, Guid organizationId) { sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), data.ToServiceAccount(organizationId), Arg.Any>()).ReturnsForAnyArgs(AuthorizationResult.Success()); sutProvider.GetDependency().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid()); var resultServiceAccount = data.ToServiceAccount(organizationId); sutProvider.GetDependency().CreateAsync(default, default).ReturnsForAnyArgs(resultServiceAccount); await sutProvider.Sut.CreateAsync(organizationId, data); await sutProvider.GetDependency().Received(1) .CreateAsync(Arg.Any(), Arg.Any()); } [Theory] [BitAutoData] public async void UpdateServiceAccount_NoAccess_Throws(SutProvider sutProvider, ServiceAccountUpdateRequestModel data, ServiceAccount existingServiceAccount) { sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), data.ToServiceAccount(existingServiceAccount.Id), Arg.Any>()).ReturnsForAnyArgs(AuthorizationResult.Failed()); sutProvider.GetDependency().GetByIdAsync(existingServiceAccount.Id).ReturnsForAnyArgs(existingServiceAccount); var resultServiceAccount = data.ToServiceAccount(existingServiceAccount.Id); sutProvider.GetDependency().UpdateAsync(default).ReturnsForAnyArgs(resultServiceAccount); await Assert.ThrowsAsync(() => sutProvider.Sut.UpdateAsync(existingServiceAccount.Id, data)); await sutProvider.GetDependency().DidNotReceiveWithAnyArgs() .UpdateAsync(Arg.Any()); } [Theory] [BitAutoData] public async void UpdateServiceAccount_Success(SutProvider sutProvider, ServiceAccountUpdateRequestModel data, ServiceAccount existingServiceAccount) { sutProvider.GetDependency() .AuthorizeAsync(Arg.Any(), data.ToServiceAccount(existingServiceAccount.Id), Arg.Any>()).ReturnsForAnyArgs(AuthorizationResult.Success()); var resultServiceAccount = data.ToServiceAccount(existingServiceAccount.Id); sutProvider.GetDependency().UpdateAsync(default).ReturnsForAnyArgs(resultServiceAccount); var result = await sutProvider.Sut.UpdateAsync(existingServiceAccount.Id, data); await sutProvider.GetDependency().Received(1) .UpdateAsync(Arg.Any()); } [Theory] [BitAutoData] public async void CreateAccessToken_Success(SutProvider sutProvider, AccessTokenCreateRequestModel data, Guid serviceAccountId) { sutProvider.GetDependency().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid()); var resultAccessToken = data.ToApiKey(serviceAccountId); sutProvider.GetDependency().CreateAsync(default, default).ReturnsForAnyArgs(resultAccessToken); var result = await sutProvider.Sut.CreateAccessTokenAsync(serviceAccountId, data); await sutProvider.GetDependency().Received(1) .CreateAsync(Arg.Any(), Arg.Any()); } [Theory] [BitAutoData] public async void GetAccessTokens_NoServiceAccount_ThrowsNotFound(SutProvider sutProvider, Guid serviceAccountId) { sutProvider.GetDependency().GetProperUserId(default).ReturnsForAnyArgs(Guid.NewGuid()); sutProvider.GetDependency().GetByIdAsync(default).ReturnsNull(); await Assert.ThrowsAsync(() => sutProvider.Sut.GetAccessTokens(serviceAccountId)); await sutProvider.GetDependency().DidNotReceiveWithAnyArgs().GetManyByServiceAccountIdAsync(Arg.Any()); } [Theory] [BitAutoData] public async void GetAccessTokens_Admin_Success(SutProvider sutProvider, ServiceAccount data, Guid userId, ICollection resultApiKeys) { sutProvider.GetDependency().GetProperUserId(default).ReturnsForAnyArgs(userId); sutProvider.GetDependency().AccessSecretsManager(data.OrganizationId).Returns(true); sutProvider.GetDependency().OrganizationAdmin(data.OrganizationId).Returns(true); sutProvider.GetDependency().GetByIdAsync(default).ReturnsForAnyArgs(data); foreach (var apiKey in resultApiKeys) { apiKey.Scope = "[\"api.secrets\"]"; } sutProvider.GetDependency().GetManyByServiceAccountIdAsync(default).ReturnsForAnyArgs(resultApiKeys); var result = await sutProvider.Sut.GetAccessTokens(data.Id); await sutProvider.GetDependency().Received(1).GetManyByServiceAccountIdAsync(Arg.Any()); Assert.NotEmpty(result.Data); Assert.Equal(resultApiKeys.Count, result.Data.Count()); } [Theory] [BitAutoData] public async void GetAccessTokens_User_Success(SutProvider sutProvider, ServiceAccount data, Guid userId, ICollection resultApiKeys) { sutProvider.GetDependency().GetProperUserId(default).ReturnsForAnyArgs(userId); sutProvider.GetDependency().AccessSecretsManager(data.OrganizationId).Returns(true); sutProvider.GetDependency().OrganizationAdmin(data.OrganizationId).Returns(false); sutProvider.GetDependency().UserHasReadAccessToServiceAccount(default, default).ReturnsForAnyArgs(true); sutProvider.GetDependency().GetByIdAsync(default).ReturnsForAnyArgs(data); foreach (var apiKey in resultApiKeys) { apiKey.Scope = "[\"api.secrets\"]"; } sutProvider.GetDependency().GetManyByServiceAccountIdAsync(default).ReturnsForAnyArgs(resultApiKeys); var result = await sutProvider.Sut.GetAccessTokens(data.Id); await sutProvider.GetDependency().Received(1).GetManyByServiceAccountIdAsync(Arg.Any()); Assert.NotEmpty(result.Data); Assert.Equal(resultApiKeys.Count, result.Data.Count()); } [Theory] [BitAutoData] public async void GetAccessTokens_UserNoAccess_ThrowsNotFound(SutProvider sutProvider, ServiceAccount data, Guid userId, ICollection resultApiKeys) { sutProvider.GetDependency().GetProperUserId(default).ReturnsForAnyArgs(userId); sutProvider.GetDependency().OrganizationAdmin(data.OrganizationId).Returns(false); sutProvider.GetDependency().UserHasReadAccessToServiceAccount(default, default).ReturnsForAnyArgs(false); sutProvider.GetDependency().GetByIdAsync(default).ReturnsForAnyArgs(data); foreach (var apiKey in resultApiKeys) { apiKey.Scope = "[\"api.secrets\"]"; } sutProvider.GetDependency().GetManyByServiceAccountIdAsync(default).ReturnsForAnyArgs(resultApiKeys); await Assert.ThrowsAsync(() => sutProvider.Sut.GetAccessTokens(data.Id)); await sutProvider.GetDependency().DidNotReceiveWithAnyArgs().GetManyByServiceAccountIdAsync(Arg.Any()); } }