new endpoints added but lack test coverage

Author: harr1424

src/Api/Tools/Controllers/SendsController.cs

@@ -5,6 +5,8 @@
 using Bit.Api.Tools.Models.Response;
 using Bit.Api.Utilities;
 using Bit.Core;
+using Bit.Core.Auth.Identity;
+using Bit.Core.Auth.UserFeatures.SendAccess;
 using Bit.Core.Exceptions;
 using Bit.Core.Services;
 using Bit.Core.Tools.Enums;
@@ -30,10 +32,10 @@ public class SendsController : Controller
     private readonly ISendFileStorageService _sendFileStorageService;
     private readonly IAnonymousSendCommand _anonymousSendCommand;
     private readonly INonAnonymousSendCommand _nonAnonymousSendCommand;
-
     private readonly ISendOwnerQuery _sendOwnerQuery;
-
     private readonly ILogger<SendsController> _logger;
+    private readonly IFeatureService _featureService;
+    private readonly ISendAuthenticationQuery _sendAuthenticationQuery;
 
     public SendsController(
         ISendRepository sendRepository,
@@ -43,7 +45,9 @@ public SendsController(
         INonAnonymousSendCommand nonAnonymousSendCommand,
         ISendOwnerQuery sendOwnerQuery,
         ISendFileStorageService sendFileStorageService,
-        ILogger<SendsController> logger)
+        ILogger<SendsController> logger,
+        IFeatureService featureService,
+        ISendAuthenticationQuery sendAuthenticationQuery)
     {
         _sendRepository = sendRepository;
         _userService = userService;
@@ -53,6 +57,8 @@ public SendsController(
         _sendOwnerQuery = sendOwnerQuery;
         _sendFileStorageService = sendFileStorageService;
         _logger = logger;
+        _featureService = featureService;
+        _sendAuthenticationQuery = sendAuthenticationQuery;
     }
 
     #region Anonymous endpoints
@@ -69,21 +75,33 @@ public async Task<IActionResult> Access(string id, [FromBody] SendAccessRequestM
 
         var guid = new Guid(CoreHelpers.Base64UrlDecode(id));
         var send = await _sendRepository.GetByIdAsync(guid);
+
+        var sendEmailOtpEnabled = _featureService.IsEnabled(FeatureFlagKeys.SendEmailOTP);
+        var authMethod = await _sendAuthenticationQuery.GetAuthenticationMethod(guid);
+
+        if (authMethod is EmailOtp && sendEmailOtpEnabled)
+        {
+            return new UnauthorizedResult();
+        }
+
         if (send == null)
         {
             throw new BadRequestException("Could not locate send");
         }
+
         var sendAuthResult =
             await _sendAuthorizationService.AccessAsync(send, model.Password);
         if (sendAuthResult.Equals(SendAccessResult.PasswordRequired))
         {
             return new UnauthorizedResult();
         }
+
         if (sendAuthResult.Equals(SendAccessResult.PasswordInvalid))
         {
             await Task.Delay(2000);
             throw new BadRequestException("Invalid password.");
         }
+
         if (sendAuthResult.Equals(SendAccessResult.Denied))
         {
             throw new NotFoundException();
@@ -95,6 +113,7 @@ public async Task<IActionResult> Access(string id, [FromBody] SendAccessRequestM
             var creator = await _userService.GetUserByIdAsync(send.UserId.Value);
             sendResponse.CreatorIdentifier = creator.Email;
         }
+
         return new ObjectResult(sendResponse);
     }
 
@@ -113,6 +132,14 @@ public async Task<IActionResult> GetSendFileDownloadData(string encodedSendId,
         var sendId = new Guid(CoreHelpers.Base64UrlDecode(encodedSendId));
         var send = await _sendRepository.GetByIdAsync(sendId);
 
+        var sendEmailOtpEnabled = _featureService.IsEnabled(FeatureFlagKeys.SendEmailOTP);
+        var authMethod = await _sendAuthenticationQuery.GetAuthenticationMethod(sendId);
+
+        if (authMethod is EmailOtp && sendEmailOtpEnabled)
+        {
+            return new UnauthorizedResult();
+        }
+
         if (send == null)
         {
             throw new BadRequestException("Could not locate send");
@@ -125,21 +152,19 @@ public async Task<IActionResult> GetSendFileDownloadData(string encodedSendId,
         {
             return new UnauthorizedResult();
         }
+
         if (result.Equals(SendAccessResult.PasswordInvalid))
         {
             await Task.Delay(2000);
             throw new BadRequestException("Invalid password.");
         }
+
         if (result.Equals(SendAccessResult.Denied))
         {
             throw new NotFoundException();
         }
 
-        return new ObjectResult(new SendFileDownloadDataResponseModel()
-        {
-            Id = fileId,
-            Url = url,
-        });
+        return new ObjectResult(new SendFileDownloadDataResponseModel() { Id = fileId, Url = url, });
     }
 
     [AllowAnonymous]
@@ -153,7 +178,8 @@ public async Task<ObjectResult> AzureValidateFile()
                 {
                     try
                     {
-                        var blobName = eventGridEvent.Subject.Split($"{AzureSendFileStorageService.FilesContainerName}/blobs/")[1];
+                        var blobName =
+                            eventGridEvent.Subject.Split($"{AzureSendFileStorageService.FilesContainerName}/blobs/")[1];
                         var sendId = AzureSendFileStorageService.SendIdFromBlobName(blobName);
                         var send = await _sendRepository.GetByIdAsync(new Guid(sendId));
                         if (send == null)
@@ -162,14 +188,16 @@ public async Task<ObjectResult> AzureValidateFile()
                             {
                                 await azureSendFileStorageService.DeleteBlobAsync(blobName);
                             }
+
                             return;
                         }
 
                         await _nonAnonymousSendCommand.ConfirmFileSize(send);
                     }
                     catch (Exception e)
                     {
-                        _logger.LogError(e, "Uncaught exception occurred while handling event grid event: {Event}", JsonSerializer.Serialize(eventGridEvent));
+                        _logger.LogError(e, "Uncaught exception occurred while handling event grid event: {Event}",
+                            JsonSerializer.Serialize(eventGridEvent));
                         return;
                     }
                 }
@@ -199,6 +227,46 @@ public async Task<ListResponseModel<SendResponseModel>> GetAll()
         return result;
     }
 
+    [Authorize(Policy = Policies.Send)]
+    [RequireFeature(FeatureFlagKeys.SendEmailOTP)]
+    [HttpPost("access/")]
+    public async Task<IActionResult> Access([FromBody] SendAccessRequestModel model)
+    {
+        var guid = User.GetSendId();
+        var send = await _sendRepository.GetByIdAsync(guid);
+        if (send == null)
+        {
+            throw new BadRequestException("Could not locate send");
+        }
+
+        var sendResponse = new SendAccessResponseModel(send);
+        if (send.UserId.HasValue && !send.HideEmail.GetValueOrDefault())
+        {
+            var creator = await _userService.GetUserByIdAsync(send.UserId.Value);
+            sendResponse.CreatorIdentifier = creator.Email;
+        }
+
+        return new ObjectResult(sendResponse);
+    }
+
+    [Authorize(Policy = Policies.Send)]
+    [RequireFeature(FeatureFlagKeys.SendEmailOTP)]
+    [HttpPost("access/file/{fileId}")]
+    public async Task<IActionResult> GetSendFileDownloadData(string fileId)
+    {
+        var sendId = User.GetSendId();
+        var send = await _sendRepository.GetByIdAsync(sendId);
+
+        if (send == null)
+        {
+            throw new BadRequestException("Could not locate send");
+        }
+
+        var url = await _sendFileStorageService.GetSendFileDownloadUrlAsync(send, fileId);
+
+        return new ObjectResult(new SendFileDownloadDataResponseModel() { Id = fileId, Url = url });
+    }
+
     [HttpPost("")]
     public async Task<SendResponseModel> Post([FromBody] SendRequestModel model)
     {
@@ -279,6 +347,7 @@ public async Task PostFileForExistingSend(string id, string fileId)
         {
             throw new BadRequestException("Could not locate send");
         }
+
         await Request.GetFileAsync(async (stream) =>
         {
             await _nonAnonymousSendCommand.UploadFileToExistingSendAsync(stream, send);

test/Api.Test/Tools/Controllers/SendsControllerTests.cs

@@ -9,7 +9,6 @@
 using Bit.Core.Entities;
 using Bit.Core.Exceptions;
 using Bit.Core.Services;
-using Bit.Core.Settings;
 using Bit.Core.Tools.Entities;
 using Bit.Core.Tools.Enums;
 using Bit.Core.Tools.Models.Data;
@@ -28,7 +27,6 @@ namespace Bit.Api.Test.Tools.Controllers;
 public class SendsControllerTests : IDisposable
 {
     private readonly SendsController _sut;
-    private readonly GlobalSettings _globalSettings;
     private readonly IUserService _userService;
     private readonly ISendRepository _sendRepository;
     private readonly INonAnonymousSendCommand _nonAnonymousSendCommand;
@@ -37,6 +35,8 @@ public class SendsControllerTests : IDisposable
     private readonly ISendAuthorizationService _sendAuthorizationService;
     private readonly ISendFileStorageService _sendFileStorageService;
     private readonly ILogger<SendsController> _logger;
+    private readonly IFeatureService _featureService;
+    private readonly ISendAuthenticationQuery _sendAuthenticationQuery;
 
     public SendsControllerTests()
     {
@@ -47,8 +47,9 @@ public SendsControllerTests()
         _sendOwnerQuery = Substitute.For<ISendOwnerQuery>();
         _sendAuthorizationService = Substitute.For<ISendAuthorizationService>();
         _sendFileStorageService = Substitute.For<ISendFileStorageService>();
-        _globalSettings = new GlobalSettings();
         _logger = Substitute.For<ILogger<SendsController>>();
+        _featureService = Substitute.For<IFeatureService>();
+        _sendAuthenticationQuery = Substitute.For<ISendAuthenticationQuery>();
 
         _sut = new SendsController(
             _sendRepository,
@@ -59,7 +60,8 @@ public SendsControllerTests()
             _sendOwnerQuery,
             _sendFileStorageService,
             _logger,
-            _globalSettings
+            _featureService,
+            _sendAuthenticationQuery
         );
     }