[SM-1592] API for Secret Versioning, adding controller, repository and tests (#6444)

* Adding SecretVersion table to server * making the names singular not plural for new table * removing migration * fixing migration * Adding indexes for serviceacct and orguserId * indexes for sqllite * fixing migrations * adding indexes to secretVeriosn.sql * tests * removing tests * adding GO * api repository and controller additions for SecretVersion table, as well as tests * test fix sqllite * improvements * removing comments * making files nullable safe * Justin Baurs suggested changes * claude suggestions * Claude fixes * test fixes
2025-12-06 00:03:34 +00:00 · 2025-12-03 12:17:29 -05:00
parent ded1c58c27
commit 98212a7f49
14 changed files with 1290 additions and 1 deletions
--- a/test/Api.IntegrationTest/SecretsManager/Controllers/SecretVersionsControllerTests.cs
+++ b/test/Api.IntegrationTest/SecretsManager/Controllers/SecretVersionsControllerTests.cs
@@ -0,0 +1,289 @@
+using System.Net;
+using Bit.Api.IntegrationTest.Factories;
+using Bit.Api.IntegrationTest.SecretsManager.Enums;
+using Bit.Api.IntegrationTest.SecretsManager.Helpers;
+using Bit.Api.Models.Response;
+using Bit.Api.SecretsManager.Models.Request;
+using Bit.Api.SecretsManager.Models.Response;
+using Bit.Core.Enums;
+using Bit.Core.SecretsManager.Entities;
+using Bit.Core.SecretsManager.Repositories;
+using Xunit;
+
+namespace Bit.Api.IntegrationTest.SecretsManager.Controllers;
+
+public class SecretVersionsControllerTests : IClassFixture<ApiApplicationFactory>, IAsyncLifetime
+{
+    private readonly string _mockEncryptedString =
+        "2.3Uk+WNBIoU5xzmVFNcoWzz==|1MsPIYuRfdOHfu/0uY6H2Q==|/98sp4wb6pHP1VTZ9JcNCYgQjEUMFPlqJgCwRk1YXKg=";
+
+    private readonly HttpClient _client;
+    private readonly ApiApplicationFactory _factory;
+    private readonly ISecretRepository _secretRepository;
+    private readonly ISecretVersionRepository _secretVersionRepository;
+    private readonly IAccessPolicyRepository _accessPolicyRepository;
+    private readonly LoginHelper _loginHelper;
+
+    private string _email = null!;
+    private SecretsManagerOrganizationHelper _organizationHelper = null!;
+
+    public SecretVersionsControllerTests(ApiApplicationFactory factory)
+    {
+        _factory = factory;
+        _client = _factory.CreateClient();
+        _secretRepository = _factory.GetService<ISecretRepository>();
+        _secretVersionRepository = _factory.GetService<ISecretVersionRepository>();
+        _accessPolicyRepository = _factory.GetService<IAccessPolicyRepository>();
+        _loginHelper = new LoginHelper(_factory, _client);
+    }
+
+    public async Task InitializeAsync()
+    {
+        _email = $"integration-test{Guid.NewGuid()}@bitwarden.com";
+        await _factory.LoginWithNewAccount(_email);
+        _organizationHelper = new SecretsManagerOrganizationHelper(_factory, _email);
+    }
+
+    public Task DisposeAsync()
+    {
+        _client.Dispose();
+        return Task.CompletedTask;
+    }
+
+    [Theory]
+    [InlineData(false, false, false)]
+    [InlineData(false, false, true)]
+    [InlineData(false, true, false)]
+    [InlineData(false, true, true)]
+    [InlineData(true, false, false)]
+    [InlineData(true, false, true)]
+    [InlineData(true, true, false)]
+    public async Task GetVersionsBySecretId_SmAccessDenied_NotFound(bool useSecrets, bool accessSecrets, bool organizationEnabled)
+    {
+        var (org, _) = await _organizationHelper.Initialize(useSecrets, accessSecrets, organizationEnabled);
+        await _loginHelper.LoginAsync(_email);
+
+        var secret = await _secretRepository.CreateAsync(new Secret
+        {
+            OrganizationId = org.Id,
+            Key = _mockEncryptedString,
+            Value = _mockEncryptedString,
+            Note = _mockEncryptedString
+        });
+
+        var response = await _client.GetAsync($"/secrets/{secret.Id}/versions");
+        Assert.Equal(HttpStatusCode.NotFound, response.StatusCode);
+    }
+
+    [Theory]
+    [InlineData(PermissionType.RunAsAdmin)]
+    [InlineData(PermissionType.RunAsUserWithPermission)]
+    public async Task GetVersionsBySecretId_Success(PermissionType permissionType)
+    {
+        var (org, _) = await _organizationHelper.Initialize(true, true, true);
+        await _loginHelper.LoginAsync(_email);
+
+        var secret = await _secretRepository.CreateAsync(new Secret
+        {
+            OrganizationId = org.Id,
+            Key = _mockEncryptedString,
+            Value = _mockEncryptedString,
+            Note = _mockEncryptedString
+        });
+
+        // Create some versions
+        var version1 = await _secretVersionRepository.CreateAsync(new SecretVersion
+        {
+            SecretId = secret.Id,
+            Value = _mockEncryptedString,
+            VersionDate = DateTime.UtcNow.AddDays(-2)
+        });
+
+        var version2 = await _secretVersionRepository.CreateAsync(new SecretVersion
+        {
+            SecretId = secret.Id,
+            Value = _mockEncryptedString,
+            VersionDate = DateTime.UtcNow.AddDays(-1)
+        });
+
+        if (permissionType == PermissionType.RunAsUserWithPermission)
+        {
+            var (email, orgUser) = await _organizationHelper.CreateNewUser(OrganizationUserType.User, true);
+            await _loginHelper.LoginAsync(email);
+
+            var accessPolicies = new List<BaseAccessPolicy>
+            {
+                new UserSecretAccessPolicy
+                {
+                    GrantedSecretId = secret.Id,
+                    OrganizationUserId = orgUser.Id,
+                    Read = true,
+                    Write = true
+                }
+            };
+            await _accessPolicyRepository.CreateManyAsync(accessPolicies);
+        }
+
+        var response = await _client.GetAsync($"/secrets/{secret.Id}/versions");
+        response.EnsureSuccessStatusCode();
+
+        var result = await response.Content.ReadFromJsonAsync<ListResponseModel<SecretVersionResponseModel>>();
+
+        Assert.NotNull(result);
+        Assert.Equal(2, result.Data.Count());
+    }
+
+    [Fact]
+    public async Task GetVersionById_Success()
+    {
+        var (org, _) = await _organizationHelper.Initialize(true, true, true);
+        await _loginHelper.LoginAsync(_email);
+
+        var secret = await _secretRepository.CreateAsync(new Secret
+        {
+            OrganizationId = org.Id,
+            Key = _mockEncryptedString,
+            Value = _mockEncryptedString,
+            Note = _mockEncryptedString
+        });
+
+        var version = await _secretVersionRepository.CreateAsync(new SecretVersion
+        {
+            SecretId = secret.Id,
+            Value = _mockEncryptedString,
+            VersionDate = DateTime.UtcNow
+        });
+
+        var response = await _client.GetAsync($"/secret-versions/{version.Id}");
+        response.EnsureSuccessStatusCode();
+
+        var result = await response.Content.ReadFromJsonAsync<SecretVersionResponseModel>();
+
+        Assert.NotNull(result);
+        Assert.Equal(version.Id, result.Id);
+        Assert.Equal(secret.Id, result.SecretId);
+    }
+
+    [Fact]
+    public async Task RestoreVersion_Success()
+    {
+        var (org, _) = await _organizationHelper.Initialize(true, true, true);
+        await _loginHelper.LoginAsync(_email);
+
+        var secret = await _secretRepository.CreateAsync(new Secret
+        {
+            OrganizationId = org.Id,
+            Key = _mockEncryptedString,
+            Value = "OriginalValue",
+            Note = _mockEncryptedString
+        });
+
+        var version = await _secretVersionRepository.CreateAsync(new SecretVersion
+        {
+            SecretId = secret.Id,
+            Value = "OldValue",
+            VersionDate = DateTime.UtcNow.AddDays(-1)
+        });
+
+        var request = new RestoreSecretVersionRequestModel
+        {
+            VersionId = version.Id
+        };
+
+        var response = await _client.PutAsJsonAsync($"/secrets/{secret.Id}/versions/restore", request);
+        response.EnsureSuccessStatusCode();
+
+        var result = await response.Content.ReadFromJsonAsync<SecretResponseModel>();
+
+        Assert.NotNull(result);
+        Assert.Equal("OldValue", result.Value);
+    }
+
+    [Fact]
+    public async Task BulkDelete_Success()
+    {
+        var (org, _) = await _organizationHelper.Initialize(true, true, true);
+        await _loginHelper.LoginAsync(_email);
+
+        var secret = await _secretRepository.CreateAsync(new Secret
+        {
+            OrganizationId = org.Id,
+            Key = _mockEncryptedString,
+            Value = _mockEncryptedString,
+            Note = _mockEncryptedString
+        });
+
+        var version1 = await _secretVersionRepository.CreateAsync(new SecretVersion
+        {
+            SecretId = secret.Id,
+            Value = _mockEncryptedString,
+            VersionDate = DateTime.UtcNow.AddDays(-2)
+        });
+
+        var version2 = await _secretVersionRepository.CreateAsync(new SecretVersion
+        {
+            SecretId = secret.Id,
+            Value = _mockEncryptedString,
+            VersionDate = DateTime.UtcNow.AddDays(-1)
+        });
+
+        var ids = new List<Guid> { version1.Id, version2.Id };
+
+        var response = await _client.PostAsJsonAsync("/secret-versions/delete", ids);
+        response.EnsureSuccessStatusCode();
+
+        var versions = await _secretVersionRepository.GetManyBySecretIdAsync(secret.Id);
+        Assert.Empty(versions);
+    }
+
+    [Fact]
+    public async Task GetVersionsBySecretId_ReturnsOrderedByVersionDate()
+    {
+        var (org, _) = await _organizationHelper.Initialize(true, true, true);
+        await _loginHelper.LoginAsync(_email);
+
+        var secret = await _secretRepository.CreateAsync(new Secret
+        {
+            OrganizationId = org.Id,
+            Key = _mockEncryptedString,
+            Value = _mockEncryptedString,
+            Note = _mockEncryptedString
+        });
+
+        // Create versions in random order
+        await _secretVersionRepository.CreateAsync(new SecretVersion
+        {
+            SecretId = secret.Id,
+            Value = "Version2",
+            VersionDate = DateTime.UtcNow.AddDays(-1)
+        });
+
+        await _secretVersionRepository.CreateAsync(new SecretVersion
+        {
+            SecretId = secret.Id,
+            Value = "Version3",
+            VersionDate = DateTime.UtcNow
+        });
+
+        await _secretVersionRepository.CreateAsync(new SecretVersion
+        {
+            SecretId = secret.Id,
+            Value = "Version1",
+            VersionDate = DateTime.UtcNow.AddDays(-2)
+        });
+
+        var response = await _client.GetAsync($"/secrets/{secret.Id}/versions");
+        response.EnsureSuccessStatusCode();
+
+        var result = await response.Content.ReadFromJsonAsync<ListResponseModel<SecretVersionResponseModel>>();
+
+        Assert.NotNull(result);
+        Assert.Equal(3, result.Data.Count());
+
+        var versions = result.Data.ToList();
+        // Should be ordered by VersionDate descending (newest first)
+        Assert.Equal("Version3", versions[0].Value);
+        Assert.Equal("Version2", versions[1].Value);
+        Assert.Equal("Version1", versions[2].Value);
+    }
+}
--- a/test/Api.Test/SecretsManager/Controllers/SecretVersionsControllerTests.cs
+++ b/test/Api.Test/SecretsManager/Controllers/SecretVersionsControllerTests.cs
@@ -0,0 +1,307 @@
+using Bit.Api.SecretsManager.Controllers;
+using Bit.Api.SecretsManager.Models.Request;
+using Bit.Core.Auth.Identity;
+using Bit.Core.Context;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
+using Bit.Core.SecretsManager.Entities;
+using Bit.Core.SecretsManager.Repositories;
+using Bit.Core.Services;
+using Bit.Core.Test.SecretsManager.AutoFixture.SecretsFixture;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Api.Test.SecretsManager.Controllers;
+
+[ControllerCustomize(typeof(SecretVersionsController))]
+[SutProviderCustomize]
+[SecretCustomize]
+public class SecretVersionsControllerTests
+{
+    [Theory]
+    [BitAutoData]
+    public async Task GetVersionsBySecretId_SecretNotFound_Throws(
+        SutProvider<SecretVersionsController> sutProvider,
+        Guid secretId)
+    {
+        sutProvider.GetDependency<ISecretRepository>().GetByIdAsync(secretId).Returns((Secret?)null);
+
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.GetVersionsBySecretIdAsync(secretId));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetVersionsBySecretId_NoAccess_Throws(
+        SutProvider<SecretVersionsController> sutProvider,
+        Secret secret)
+    {
+        sutProvider.GetDependency<ISecretRepository>().GetByIdAsync(secret.Id).Returns(secret);
+        sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(secret.OrganizationId).Returns(false);
+
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.GetVersionsBySecretIdAsync(secret.Id));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetVersionsBySecretId_NoReadAccess_Throws(
+        SutProvider<SecretVersionsController> sutProvider,
+        Secret secret,
+        Guid userId)
+    {
+        sutProvider.GetDependency<ISecretRepository>().GetByIdAsync(secret.Id).Returns(secret);
+        sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(secret.OrganizationId).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(secret.OrganizationId).Returns(false);
+        sutProvider.GetDependency<ISecretRepository>().AccessToSecretAsync(secret.Id, userId, default)
+            .ReturnsForAnyArgs((false, false));
+
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.GetVersionsBySecretIdAsync(secret.Id));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetVersionsBySecretId_Success(
+        SutProvider<SecretVersionsController> sutProvider,
+        Secret secret,
+        List<SecretVersion> versions,
+        Guid userId)
+    {
+        sutProvider.GetDependency<ISecretRepository>().GetByIdAsync(secret.Id).Returns(secret);
+        sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(secret.OrganizationId).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(secret.OrganizationId).Returns(false);
+        sutProvider.GetDependency<ISecretRepository>().AccessToSecretAsync(secret.Id, userId, default)
+            .ReturnsForAnyArgs((true, false));
+
+        foreach (var version in versions)
+        {
+            version.SecretId = secret.Id;
+        }
+        sutProvider.GetDependency<ISecretVersionRepository>().GetManyBySecretIdAsync(secret.Id).Returns(versions);
+
+        var result = await sutProvider.Sut.GetVersionsBySecretIdAsync(secret.Id);
+
+        Assert.Equal(versions.Count, result.Data.Count());
+        await sutProvider.GetDependency<ISecretVersionRepository>().Received(1)
+            .GetManyBySecretIdAsync(Arg.Is(secret.Id));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetById_VersionNotFound_Throws(
+        SutProvider<SecretVersionsController> sutProvider,
+        Guid versionId)
+    {
+        sutProvider.GetDependency<ISecretVersionRepository>().GetByIdAsync(versionId).Returns((SecretVersion?)null);
+
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.GetByIdAsync(versionId));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task GetById_Success(
+        SutProvider<SecretVersionsController> sutProvider,
+        SecretVersion version,
+        Secret secret,
+        Guid userId)
+    {
+        version.SecretId = secret.Id;
+        sutProvider.GetDependency<ISecretVersionRepository>().GetByIdAsync(version.Id).Returns(version);
+        sutProvider.GetDependency<ISecretRepository>().GetByIdAsync(secret.Id).Returns(secret);
+        sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(secret.OrganizationId).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(secret.OrganizationId).Returns(false);
+        sutProvider.GetDependency<ISecretRepository>().AccessToSecretAsync(secret.Id, userId, default)
+            .ReturnsForAnyArgs((true, false));
+
+        var result = await sutProvider.Sut.GetByIdAsync(version.Id);
+
+        Assert.Equal(version.Id, result.Id);
+        Assert.Equal(version.SecretId, result.SecretId);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task RestoreVersion_NoWriteAccess_Throws(
+        SutProvider<SecretVersionsController> sutProvider,
+        Secret secret,
+        SecretVersion version,
+        RestoreSecretVersionRequestModel request,
+        Guid userId)
+    {
+        version.SecretId = secret.Id;
+        request.VersionId = version.Id;
+
+        sutProvider.GetDependency<ISecretRepository>().GetByIdAsync(secret.Id).Returns(secret);
+        sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(secret.OrganizationId).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(secret.OrganizationId).Returns(false);
+        sutProvider.GetDependency<ISecretRepository>().AccessToSecretAsync(secret.Id, userId, default)
+            .ReturnsForAnyArgs((true, false));
+
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.RestoreVersionAsync(secret.Id, request));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task RestoreVersion_VersionNotFound_Throws(
+        SutProvider<SecretVersionsController> sutProvider,
+        Secret secret,
+        RestoreSecretVersionRequestModel request,
+        Guid userId)
+    {
+        sutProvider.GetDependency<ISecretRepository>().GetByIdAsync(secret.Id).Returns(secret);
+        sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(secret.OrganizationId).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(secret.OrganizationId).Returns(true);
+        sutProvider.GetDependency<ISecretRepository>().AccessToSecretAsync(secret.Id, userId, default)
+            .ReturnsForAnyArgs((true, true));
+        sutProvider.GetDependency<ISecretVersionRepository>().GetByIdAsync(request.VersionId).Returns((SecretVersion?)null);
+
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.RestoreVersionAsync(secret.Id, request));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task RestoreVersion_VersionBelongsToDifferentSecret_Throws(
+        SutProvider<SecretVersionsController> sutProvider,
+        Secret secret,
+        SecretVersion version,
+        RestoreSecretVersionRequestModel request,
+        Guid userId)
+    {
+        version.SecretId = Guid.NewGuid(); // Different secret
+        request.VersionId = version.Id;
+
+        sutProvider.GetDependency<ISecretRepository>().GetByIdAsync(secret.Id).Returns(secret);
+        sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(secret.OrganizationId).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(secret.OrganizationId).Returns(true);
+        sutProvider.GetDependency<ISecretRepository>().AccessToSecretAsync(secret.Id, userId, default)
+            .ReturnsForAnyArgs((true, true));
+        sutProvider.GetDependency<ISecretVersionRepository>().GetByIdAsync(request.VersionId).Returns(version);
+
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.RestoreVersionAsync(secret.Id, request));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task RestoreVersion_Success(
+        SutProvider<SecretVersionsController> sutProvider,
+        Secret secret,
+        SecretVersion version,
+        RestoreSecretVersionRequestModel request,
+        Guid userId,
+        OrganizationUser organizationUser)
+    {
+        version.SecretId = secret.Id;
+        request.VersionId = version.Id;
+        var versionValue = version.Value;
+        organizationUser.OrganizationId = secret.OrganizationId;
+        organizationUser.UserId = userId;
+
+        sutProvider.GetDependency<ISecretRepository>().GetByIdAsync(secret.Id).Returns(secret);
+        sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(secret.OrganizationId).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(secret.OrganizationId).Returns(true);
+        sutProvider.GetDependency<ISecretRepository>().AccessToSecretAsync(secret.Id, userId, default)
+            .ReturnsForAnyArgs((true, true));
+        sutProvider.GetDependency<ISecretVersionRepository>().GetByIdAsync(request.VersionId).Returns(version);
+        sutProvider.GetDependency<IOrganizationUserRepository>()
+            .GetByOrganizationAsync(secret.OrganizationId, userId).Returns(organizationUser);
+        sutProvider.GetDependency<ISecretRepository>().UpdateAsync(Arg.Any<Secret>()).Returns(x => x.Arg<Secret>());
+
+        var result = await sutProvider.Sut.RestoreVersionAsync(secret.Id, request);
+
+        await sutProvider.GetDependency<ISecretRepository>().Received(1)
+            .UpdateAsync(Arg.Is<Secret>(s => s.Value == versionValue));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task BulkDelete_EmptyIds_Throws(
+        SutProvider<SecretVersionsController> sutProvider)
+    {
+        await Assert.ThrowsAsync<BadRequestException>(() =>
+            sutProvider.Sut.BulkDeleteAsync(new List<Guid>()));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task BulkDelete_VersionNotFound_Throws(
+        SutProvider<SecretVersionsController> sutProvider,
+        List<Guid> ids)
+    {
+        sutProvider.GetDependency<ISecretVersionRepository>().GetByIdAsync(ids[0]).Returns((SecretVersion?)null);
+
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.BulkDeleteAsync(ids));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task BulkDelete_NoWriteAccess_Throws(
+        SutProvider<SecretVersionsController> sutProvider,
+        List<SecretVersion> versions,
+        Secret secret,
+        Guid userId)
+    {
+        var ids = versions.Select(v => v.Id).ToList();
+        foreach (var version in versions)
+        {
+            version.SecretId = secret.Id;
+            sutProvider.GetDependency<ISecretVersionRepository>().GetByIdAsync(version.Id).Returns(version);
+        }
+
+        sutProvider.GetDependency<ISecretRepository>().GetManyByIds(Arg.Any<IEnumerable<Guid>>())
+            .Returns(new List<Secret> { secret });
+        sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(secret.OrganizationId).Returns(true);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(secret.OrganizationId).Returns(false);
+        sutProvider.GetDependency<ISecretRepository>().AccessToSecretAsync(secret.Id, userId, default)
+            .ReturnsForAnyArgs((true, false));
+
+        await Assert.ThrowsAsync<NotFoundException>(() =>
+            sutProvider.Sut.BulkDeleteAsync(ids));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task BulkDelete_Success(
+        SutProvider<SecretVersionsController> sutProvider,
+        List<SecretVersion> versions,
+        Secret secret,
+        Guid userId)
+    {
+        var ids = versions.Select(v => v.Id).ToList();
+        foreach (var version in versions)
+        {
+            version.SecretId = secret.Id;
+        }
+
+        sutProvider.GetDependency<ISecretVersionRepository>().GetManyByIdsAsync(ids).Returns(versions);
+        sutProvider.GetDependency<ISecretRepository>().GetManyByIds(Arg.Any<IEnumerable<Guid>>())
+            .Returns(new List<Secret> { secret });
+        sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(secret.OrganizationId).Returns(true);
+        sutProvider.GetDependency<ICurrentContext>().IdentityClientType.Returns(IdentityClientType.ServiceAccount);
+        sutProvider.GetDependency<IUserService>().GetProperUserId(default).ReturnsForAnyArgs(userId);
+        sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(secret.OrganizationId).Returns(true);
+        sutProvider.GetDependency<ISecretRepository>().AccessToSecretAsync(secret.Id, userId, default)
+            .ReturnsForAnyArgs((true, true));
+
+        await sutProvider.Sut.BulkDeleteAsync(ids);
+
+        await sutProvider.GetDependency<ISecretVersionRepository>().Received(1)
+            .DeleteManyByIdAsync(Arg.Is<IEnumerable<Guid>>(x => x.SequenceEqual(ids)));
+    }
+}
--- a/test/Api.Test/SecretsManager/Controllers/SecretsControllerTests.cs
+++ b/test/Api.Test/SecretsManager/Controllers/SecretsControllerTests.cs
@@ -2,6 +2,7 @@
 using Bit.Api.SecretsManager.Controllers;
 using Bit.Api.SecretsManager.Models.Request;
 using Bit.Api.Test.SecretsManager.Enums;
+using Bit.Core.Auth.Identity;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
@@ -244,6 +245,7 @@ public class SecretsControllerTests
    {
        data = SetupSecretUpdateRequest(data);
        SetControllerUser(sutProvider, new Guid());
+        sutProvider.GetDependency<ICurrentContext>().IdentityClientType.Returns(IdentityClientType.ServiceAccount);
        sutProvider.GetDependency<IAuthorizationService>()
            .AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Any<Secret>(),
                Arg.Any<IEnumerable<IAuthorizationRequirement>>()).ReturnsForAnyArgs(AuthorizationResult.Success());
@@ -602,6 +604,7 @@ public class SecretsControllerTests
    {
        data = SetupSecretUpdateRequest(data, true);

+        sutProvider.GetDependency<ICurrentContext>().IdentityClientType.Returns(IdentityClientType.ServiceAccount);
        sutProvider.GetDependency<IAuthorizationService>()
            .AuthorizeAsync(Arg.Any<ClaimsPrincipal>(), Arg.Any<Secret>(),
                Arg.Any<IEnumerable<IAuthorizationRequirement>>()).Returns(AuthorizationResult.Success());