Refactor canClone method to use CipherAuthorizationService (#16849)

2025-12-06 00:13:28 +00:00 · 2025-10-28 19:00:56 +01:00
parent c1a988c2ab
commit 11d3f5247c
3 changed files with 185 additions and 34 deletions
--- a/libs/common/src/vault/services/restricted-item-types.service.spec.ts
+++ b/libs/common/src/vault/services/restricted-item-types.service.spec.ts
@@ -12,6 +12,8 @@ import { Utils } from "@bitwarden/common/platform/misc/utils";
 import { UserId } from "@bitwarden/common/types/guid";
 import { CipherType } from "@bitwarden/common/vault/enums";

+import { CipherLike } from "../types/cipher-like";
+
 import { RestrictedItemTypesService, RestrictedCipherType } from "./restricted-item-types.service";

 describe("RestrictedItemTypesService", () => {
@@ -130,4 +132,170 @@ describe("RestrictedItemTypesService", () => {
      { cipherType: CipherType.Identity, allowViewOrgIds: ["org1"] },
    ]);
  });
+
+  describe("isCipherRestricted", () => {
+    it("returns false when cipher type is not in restricted types", () => {
+      const cipher: CipherLike = {
+        type: CipherType.Login,
+        organizationId: "Pete the Cat",
+      } as CipherLike;
+      const restrictedTypes: RestrictedCipherType[] = [
+        { cipherType: CipherType.Card, allowViewOrgIds: [] },
+      ];
+
+      const result = service.isCipherRestricted(cipher, restrictedTypes);
+
+      expect(result).toBe(false);
+    });
+
+    it("returns false when restricted types array is empty", () => {
+      const cipher: CipherLike = { type: CipherType.Card, organizationId: "org1" } as CipherLike;
+      const restrictedTypes: RestrictedCipherType[] = [];
+
+      const result = service.isCipherRestricted(cipher, restrictedTypes);
+
+      expect(result).toBe(false);
+    });
+
+    it("returns false when cipher type does not match any restricted types", () => {
+      const cipher: CipherLike = {
+        type: CipherType.SecureNote,
+        organizationId: "org1",
+      } as CipherLike;
+      const restrictedTypes: RestrictedCipherType[] = [
+        { cipherType: CipherType.Card, allowViewOrgIds: [] },
+        { cipherType: CipherType.Login, allowViewOrgIds: [] },
+        { cipherType: CipherType.Identity, allowViewOrgIds: [] },
+      ];
+
+      const result = service.isCipherRestricted(cipher, restrictedTypes);
+
+      expect(result).toBe(false);
+    });
+
+    it("returns true for personal cipher when type is restricted", () => {
+      const cipher: CipherLike = { type: CipherType.Card, organizationId: null } as CipherLike;
+      const restrictedTypes: RestrictedCipherType[] = [
+        { cipherType: CipherType.Card, allowViewOrgIds: ["org1"] },
+      ];
+
+      const result = service.isCipherRestricted(cipher, restrictedTypes);
+
+      expect(result).toBe(true);
+    });
+
+    it("returns true for personal cipher with undefined organizationId when type is restricted", () => {
+      const cipher: CipherLike = {
+        type: CipherType.Login,
+        organizationId: undefined,
+      } as CipherLike;
+      const restrictedTypes: RestrictedCipherType[] = [
+        { cipherType: CipherType.Login, allowViewOrgIds: ["org1", "org2"] },
+      ];
+
+      const result = service.isCipherRestricted(cipher, restrictedTypes);
+
+      expect(result).toBe(true);
+    });
+
+    it("returns true for personal cipher regardless of allowViewOrgIds content", () => {
+      const cipher: CipherLike = { type: CipherType.Identity, organizationId: null } as CipherLike;
+      const restrictedTypes: RestrictedCipherType[] = [
+        { cipherType: CipherType.Identity, allowViewOrgIds: [] },
+      ];
+
+      const result = service.isCipherRestricted(cipher, restrictedTypes);
+
+      expect(result).toBe(true);
+    });
+
+    it("returns false when organization is in allowViewOrgIds", () => {
+      const cipher: CipherLike = { type: CipherType.Card, organizationId: "org1" } as CipherLike;
+      const restrictedTypes: RestrictedCipherType[] = [
+        { cipherType: CipherType.Card, allowViewOrgIds: ["org1"] },
+      ];
+
+      const result = service.isCipherRestricted(cipher, restrictedTypes);
+
+      expect(result).toBe(false);
+    });
+
+    it("returns false when organization is among multiple allowViewOrgIds", () => {
+      const cipher: CipherLike = { type: CipherType.Login, organizationId: "org2" } as CipherLike;
+      const restrictedTypes: RestrictedCipherType[] = [
+        { cipherType: CipherType.Login, allowViewOrgIds: ["org1", "org2", "org3"] },
+      ];
+
+      const result = service.isCipherRestricted(cipher, restrictedTypes);
+
+      expect(result).toBe(false);
+    });
+
+    it("returns false when type is restricted globally but cipher org allows it", () => {
+      const cipher: CipherLike = { type: CipherType.Card, organizationId: "org2" } as CipherLike;
+      const restrictedTypes: RestrictedCipherType[] = [
+        { cipherType: CipherType.Card, allowViewOrgIds: ["org2"] },
+      ];
+
+      const result = service.isCipherRestricted(cipher, restrictedTypes);
+
+      expect(result).toBe(false);
+    });
+
+    it("returns true when organization is not in allowViewOrgIds", () => {
+      const cipher: CipherLike = { type: CipherType.Card, organizationId: "org3" } as CipherLike;
+      const restrictedTypes: RestrictedCipherType[] = [
+        { cipherType: CipherType.Card, allowViewOrgIds: ["org1", "org2"] },
+      ];
+
+      const result = service.isCipherRestricted(cipher, restrictedTypes);
+
+      expect(result).toBe(true);
+    });
+
+    it("returns true when allowViewOrgIds is empty for org cipher", () => {
+      const cipher: CipherLike = { type: CipherType.Login, organizationId: "org1" } as CipherLike;
+      const restrictedTypes: RestrictedCipherType[] = [
+        { cipherType: CipherType.Login, allowViewOrgIds: [] },
+      ];
+
+      const result = service.isCipherRestricted(cipher, restrictedTypes);
+
+      expect(result).toBe(true);
+    });
+
+    it("returns true when cipher org differs from all allowViewOrgIds", () => {
+      const cipher: CipherLike = {
+        type: CipherType.Identity,
+        organizationId: "org5",
+      } as CipherLike;
+      const restrictedTypes: RestrictedCipherType[] = [
+        { cipherType: CipherType.Identity, allowViewOrgIds: ["org1", "org2", "org3", "org4"] },
+      ];
+
+      const result = service.isCipherRestricted(cipher, restrictedTypes);
+
+      expect(result).toBe(true);
+    });
+  });
+
+  describe("isCipherRestricted$", () => {
+    it("returns true when cipher is restricted by policy", async () => {
+      policyService.policiesByType$.mockReturnValue(of([policyOrg1]));
+      const cipher: CipherLike = { type: CipherType.Card, organizationId: null } as CipherLike;
+
+      const result = await firstValueFrom(service.isCipherRestricted$(cipher));
+
+      expect(result).toBe(true);
+    });
+
+    it("returns false when cipher is not restricted", async () => {
+      policyService.policiesByType$.mockReturnValue(of([policyOrg1]));
+      const cipher: CipherLike = { type: CipherType.Login, organizationId: "org2" } as CipherLike;
+
+      const result = await firstValueFrom(service.isCipherRestricted$(cipher));
+
+      expect(result).toBe(false);
+    });
+  });
 });