Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SM-896] restricting access to disabled orgs #3287

Merged
merged 13 commits into from
Oct 16, 2023
Merged

[SM-896] restricting access to disabled orgs #3287

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
e998a35
restricting access to disabled orgs
cd-bitwarden Sep 20, 2023
d9b37af
Merge branch 'master' into SM-896
cd-bitwarden Sep 21, 2023
12afc9a
Unit Test Updates
cd-bitwarden Sep 21, 2023
766f154
Update test/Api.IntegrationTest/SecretsManager/Controllers/AccessPoli…
cd-bitwarden Sep 22, 2023
e820cbc
Covering all test cases
cd-bitwarden Sep 22, 2023
f33ab7e
Merge branch 'SM-896' of https://github.com/bitwarden/server into SM-896
cd-bitwarden Sep 22, 2023
1d6bcf7
Merge branch 'master' into SM-896
cd-bitwarden Sep 25, 2023
662c42c
Merge branch 'master' into SM-896
cd-bitwarden Sep 26, 2023
64bb84e
Merge branch 'master' into SM-896
cd-bitwarden Oct 2, 2023
443583d
Merge branch 'master' into SM-896
cd-bitwarden Oct 4, 2023
ab5af5b
making organization enabled NOT default
cd-bitwarden Oct 9, 2023
bd76024
Merge branch 'master' into SM-896
cd-bitwarden Oct 9, 2023
c87eaec
Merge branch 'master' into SM-896
cd-bitwarden Oct 16, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/Core/Context/CurrentContextOrganization.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ public CurrentContextOrganization(OrganizationUserOrganizationDetails orgUser)
Id = orgUser.OrganizationId;
Type = orgUser.Type;
Permissions = CoreHelpers.LoadClassFromJsonData<Permissions>(orgUser.Permissions);
AccessSecretsManager = orgUser.AccessSecretsManager && orgUser.UseSecretsManager;
AccessSecretsManager = orgUser.AccessSecretsManager && orgUser.UseSecretsManager && orgUser.Enabled;
}

public Guid Id { get; set; }
Expand Down
2 changes: 1 addition & 1 deletion src/Identity/IdentityServer/ClientStore.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ private async Task<Client> CreateApiKeyClientAsync(string clientId)
{
case ServiceAccountApiKeyDetails key:
var org = await _organizationRepository.GetByIdAsync(key.ServiceAccountOrganizationId);
if (!org.UseSecretsManager)
if (!org.UseSecretsManager || !org.Enabled)
{
return null;
}
Expand Down
208 changes: 126 additions & 82 deletions test/Api.IntegrationTest/SecretsManager/Controllers/AccessPoliciesControllerTests.cs
View file
Open in desktop

Large diffs are not rendered by default.

88 changes: 54 additions & 34 deletions test/Api.IntegrationTest/SecretsManager/Controllers/ProjectsControllerTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,12 +56,16 @@ private async Task LoginAsync(string email)
}

[Theory]
[InlineData(false, false)]
[InlineData(true, false)]
[InlineData(false, true)]
public async Task ListByOrganization_SmNotEnabled_NotFound(bool useSecrets, bool accessSecrets)
[InlineData(false, false, false)]
[InlineData(false, false, true)]
[InlineData(false, true, false)]
[InlineData(false, true, true)]
[InlineData(true, false, false)]
[InlineData(true, false, true)]
[InlineData(true, true, false)]
public async Task ListByOrganization_SmAccessDenied_NotFound(bool useSecrets, bool accessSecrets, bool organizationEnabled)
{
var (org, _) = await _organizationHelper.Initialize(useSecrets, accessSecrets);
var (org, _) = await _organizationHelper.Initialize(useSecrets, accessSecrets, organizationEnabled);
await LoginAsync(_email);

var response = await _client.GetAsync($"/organizations/{org.Id}/projects");
Expand All @@ -71,7 +75,7 @@ public async Task ListByOrganization_SmNotEnabled_NotFound(bool useSecrets, bool
[Fact]
public async Task ListByOrganization_UserWithoutPermission_EmptyList()
{
var (org, _) = await _organizationHelper.Initialize(true, true);
var (org, _) = await _organizationHelper.Initialize(true, true, true);
var (email, _) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
await LoginAsync(email);

Expand Down Expand Up @@ -102,12 +106,16 @@ public async Task ListByOrganization_Success(PermissionType permissionType)
}

[Theory]
[InlineData(false, false)]
[InlineData(true, false)]
[InlineData(false, true)]
public async Task Create_SmNotEnabled_NotFound(bool useSecrets, bool accessSecrets)
[InlineData(false, false, false)]
[InlineData(false, false, true)]
[InlineData(false, true, false)]
[InlineData(false, true, true)]
[InlineData(true, false, false)]
[InlineData(true, false, true)]
[InlineData(true, true, false)]
public async Task Create_SmAccessDenied_NotFound(bool useSecrets, bool accessSecrets, bool organizationEnabled)
{
var (org, _) = await _organizationHelper.Initialize(useSecrets, accessSecrets);
var (org, _) = await _organizationHelper.Initialize(useSecrets, accessSecrets, organizationEnabled);
await LoginAsync(_email);

var request = new ProjectCreateRequestModel { Name = _mockEncryptedString };
Expand All @@ -134,7 +142,7 @@ public async Task Create_AtMaxProjects_BadRequest(PermissionType permissionType)
[InlineData(PermissionType.RunAsUserWithPermission)]
public async Task Create_Success(PermissionType permissionType)
{
var (org, adminOrgUser) = await _organizationHelper.Initialize(true, true);
var (org, adminOrgUser) = await _organizationHelper.Initialize(true, true, true);
await LoginAsync(_email);
var orgUserId = adminOrgUser.Id;
var currentUserId = adminOrgUser.UserId!.Value;
Expand Down Expand Up @@ -178,12 +186,16 @@ public async Task Create_Success(PermissionType permissionType)
}

[Theory]
[InlineData(false, false)]
[InlineData(true, false)]
[InlineData(false, true)]
public async Task Update_SmNotEnabled_NotFound(bool useSecrets, bool accessSecrets)
[InlineData(false, false, false)]
[InlineData(false, false, true)]
[InlineData(false, true, false)]
[InlineData(false, true, true)]
[InlineData(true, false, false)]
[InlineData(true, false, true)]
[InlineData(true, true, false)]
public async Task Update_SmAccessDenied_NotFound(bool useSecrets, bool accessSecrets, bool organizationEnabled)
{
var (org, _) = await _organizationHelper.Initialize(useSecrets, accessSecrets);
var (org, _) = await _organizationHelper.Initialize(useSecrets, accessSecrets, organizationEnabled);
await LoginAsync(_email);

var initialProject = await _projectRepository.CreateAsync(new Project
Expand Down Expand Up @@ -231,7 +243,7 @@ public async Task Update_Success(PermissionType permissionType)
[Fact]
public async Task Update_NonExistingProject_NotFound()
{
await _organizationHelper.Initialize(true, true);
await _organizationHelper.Initialize(true, true, true);
await LoginAsync(_email);

var request = new ProjectUpdateRequestModel
Expand All @@ -248,7 +260,7 @@ public async Task Update_NonExistingProject_NotFound()
[Fact]
public async Task Update_MissingAccessPolicy_NotFound()
{
var (org, _) = await _organizationHelper.Initialize(true, true);
var (org, _) = await _organizationHelper.Initialize(true, true, true);
var (email, _) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
await LoginAsync(email);

Expand All @@ -270,12 +282,16 @@ public async Task Update_MissingAccessPolicy_NotFound()
}

[Theory]
[InlineData(false, false)]
[InlineData(true, false)]
[InlineData(false, true)]
public async Task Get_SmNotEnabled_NotFound(bool useSecrets, bool accessSecrets)
[InlineData(false, false, false)]
[InlineData(false, false, true)]
[InlineData(false, true, false)]
[InlineData(false, true, true)]
[InlineData(true, false, false)]
[InlineData(true, false, true)]
[InlineData(true, true, false)]
public async Task Get_SmAccessDenied_NotFound(bool useSecrets, bool accessSecrets, bool organizationEnabled)
{
var (org, _) = await _organizationHelper.Initialize(useSecrets, accessSecrets);
var (org, _) = await _organizationHelper.Initialize(useSecrets, accessSecrets, organizationEnabled);
await LoginAsync(_email);

var project = await _projectRepository.CreateAsync(new Project
Expand All @@ -295,7 +311,7 @@ public async Task Get_SmNotEnabled_NotFound(bool useSecrets, bool accessSecrets)
[Fact]
public async Task Get_MissingAccessPolicy_NotFound()
{
var (org, _) = await _organizationHelper.Initialize(true, true);
var (org, _) = await _organizationHelper.Initialize(true, true, true);
var (email, _) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
await LoginAsync(email);

Expand All @@ -312,7 +328,7 @@ public async Task Get_MissingAccessPolicy_NotFound()
[Fact]
public async Task Get_NonExistingProject_NotFound()
{
var (org, _) = await _organizationHelper.Initialize(true, true);
var (org, _) = await _organizationHelper.Initialize(true, true, true);
var (email, _) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
await LoginAsync(email);

Expand Down Expand Up @@ -346,12 +362,16 @@ public async Task Get_Success(PermissionType permissionType)
}

[Theory]
[InlineData(false, false)]
[InlineData(true, false)]
[InlineData(false, true)]
public async Task Delete_SmNotEnabled_NotFound(bool useSecrets, bool accessSecrets)
[InlineData(false, false, false)]
[InlineData(false, false, true)]
[InlineData(false, true, false)]
[InlineData(false, true, true)]
[InlineData(true, false, false)]
[InlineData(true, false, true)]
[InlineData(true, true, false)]
public async Task Delete_SmAccessDenied_NotFound(bool useSecrets, bool accessSecrets, bool organizationEnabled)
{
var (org, _) = await _organizationHelper.Initialize(useSecrets, accessSecrets);
var (org, _) = await _organizationHelper.Initialize(useSecrets, accessSecrets, organizationEnabled);
await LoginAsync(_email);

var projectIds = await CreateProjectsAsync(org.Id);
Expand All @@ -363,7 +383,7 @@ public async Task Delete_SmNotEnabled_NotFound(bool useSecrets, bool accessSecre
[Fact]
public async Task Delete_MissingAccessPolicy_AccessDenied()
{
var (org, _) = await _organizationHelper.Initialize(true, true);
var (org, _) = await _organizationHelper.Initialize(true, true, true);
var (email, _) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
await LoginAsync(email);

Expand Down Expand Up @@ -417,7 +437,7 @@ private async Task<List<Guid>> CreateProjectsAsync(Guid orgId, int numberToCreat
private async Task<(List<Guid>, Organization)> SetupProjectsWithAccessAsync(PermissionType permissionType,
int projectsToCreate = 3)
{
var (org, _) = await _organizationHelper.Initialize(true, true);
var (org, _) = await _organizationHelper.Initialize(true, true, true);
await LoginAsync(_email);
var projectIds = await CreateProjectsAsync(org.Id, projectsToCreate);

Expand Down Expand Up @@ -446,7 +466,7 @@ private async Task<List<Guid>> CreateProjectsAsync(Guid orgId, int numberToCreat

private async Task<Project> SetupProjectWithAccessAsync(PermissionType permissionType)
{
var (org, _) = await _organizationHelper.Initialize(true, true);
var (org, _) = await _organizationHelper.Initialize(true, true, true);
await LoginAsync(_email);

var initialProject = await _projectRepository.CreateAsync(new Project
Expand Down
Loading
Loading