[PM-24582] Bugfix: exclude admins and owners from default user collection creation on confirmation (#6177)

* Update the OrganizationUserController integration Confirm tests to handle the Owner type * Refactor ConfirmOrganizationUserCommand to simplify side-effect handling in organization user confirmation. Update IPolicyRequirementQuery to return eligible org user IDs for policy enforcement. Update tests for method signature changes and default collection creation logic.
2025-12-15 07:43:54 +00:00 · 2025-08-11 16:36:40 +01:00
parent e88c9b3525
commit e042572cfb
6 changed files with 99 additions and 95 deletions
--- a/test/Api.IntegrationTest/AdminConsole/Controllers/OrganizationUserControllerTests.cs
+++ b/test/Api.IntegrationTest/AdminConsole/Controllers/OrganizationUserControllerTests.cs
@@ -22,7 +22,6 @@ public class OrganizationUserControllerTests : IClassFixture<ApiApplicationFacto
    private static readonly string _mockEncryptedString =
        "2.AOs41Hd8OQiCPXjyJKCiDA==|O6OHgt2U2hJGBSNGnimJmg==|iD33s8B69C8JhYYhSa4V1tArjvLr8eEaGqOV7BRo5Jk=";

-
    public OrganizationUserControllerTests(ApiApplicationFactory apiFactory)
    {
        _factory = apiFactory;
@@ -115,7 +114,7 @@ public class OrganizationUserControllerTests : IClassFixture<ApiApplicationFacto
    {
        await OrganizationTestHelpers.EnableOrganizationDataOwnershipPolicyAsync(_factory, _organization.Id);

-        var acceptedOrgUser = (await CreateAcceptedUsersAsync(new[] { "test1@bitwarden.com" })).First();
+        var acceptedOrgUser = (await CreateAcceptedUsersAsync(new[] { ("test1@bitwarden.com", OrganizationUserType.User) })).First();

        await _loginHelper.LoginAsync(_ownerEmail);

@@ -129,7 +128,29 @@ public class OrganizationUserControllerTests : IClassFixture<ApiApplicationFacto
        Assert.Equal(HttpStatusCode.OK, confirmResponse.StatusCode);

        await VerifyUserConfirmedAsync(acceptedOrgUser, "test-key");
-        await VerifyDefaultCollectionCreatedAsync(acceptedOrgUser);
+        await VerifyDefaultCollectionCountAsync(acceptedOrgUser, 1);
+    }
+
+    [Fact]
+    public async Task Confirm_WithValidOwner_ReturnsSuccess()
+    {
+        await OrganizationTestHelpers.EnableOrganizationDataOwnershipPolicyAsync(_factory, _organization.Id);
+
+        var acceptedOrgUser = (await CreateAcceptedUsersAsync(new[] { ("owner1@bitwarden.com", OrganizationUserType.Owner) })).First();
+
+        await _loginHelper.LoginAsync(_ownerEmail);
+
+        var confirmModel = new OrganizationUserConfirmRequestModel
+        {
+            Key = "test-key",
+            DefaultUserCollectionName = _mockEncryptedString
+        };
+        var confirmResponse = await _client.PostAsJsonAsync($"organizations/{_organization.Id}/users/{acceptedOrgUser.Id}/confirm", confirmModel);
+
+        Assert.Equal(HttpStatusCode.OK, confirmResponse.StatusCode);
+
+        await VerifyUserConfirmedAsync(acceptedOrgUser, "test-key");
+        await VerifyDefaultCollectionCountAsync(acceptedOrgUser, 0);
    }

    [Fact]
@@ -138,8 +159,11 @@ public class OrganizationUserControllerTests : IClassFixture<ApiApplicationFacto
        const string testKeyFormat = "test-key-{0}";
        await OrganizationTestHelpers.EnableOrganizationDataOwnershipPolicyAsync(_factory, _organization.Id);

-        var emails = new[] { "test1@example.com", "test2@example.com", "test3@example.com" };
-        var acceptedUsers = await CreateAcceptedUsersAsync(emails);
+        var acceptedUsers = await CreateAcceptedUsersAsync([
+            ("test1@example.com", OrganizationUserType.User),
+            ("test2@example.com", OrganizationUserType.Owner),
+            ("test3@example.com", OrganizationUserType.User)
+        ]);

        await _loginHelper.LoginAsync(_ownerEmail);

@@ -159,7 +183,9 @@ public class OrganizationUserControllerTests : IClassFixture<ApiApplicationFacto

        await VerifyMultipleUsersConfirmedAsync(acceptedUsers.Select((organizationUser, index) =>
            (organizationUser, string.Format(testKeyFormat, index))).ToList());
-        await VerifyMultipleUsersHaveDefaultCollectionsAsync(acceptedUsers);
+        await VerifyDefaultCollectionCountAsync(acceptedUsers.ElementAt(0), 1);
+        await VerifyDefaultCollectionCountAsync(acceptedUsers.ElementAt(1), 0); // Owner does not get a default collection
+        await VerifyDefaultCollectionCountAsync(acceptedUsers.ElementAt(2), 1);
    }

    [Fact]
@@ -294,16 +320,18 @@ public class OrganizationUserControllerTests : IClassFixture<ApiApplicationFacto
        Assert.False(newCollectionAccess.Manage);
    }

-    private async Task<List<OrganizationUser>> CreateAcceptedUsersAsync(IEnumerable<string> emails)
+    private async Task<List<OrganizationUser>> CreateAcceptedUsersAsync(
+        IEnumerable<(string email, OrganizationUserType userType)> newUsers)
    {
        var acceptedUsers = new List<OrganizationUser>();

-        foreach (var email in emails)
+        foreach (var (email, userType) in newUsers)
        {
            await _factory.LoginWithNewAccount(email);

-            var acceptedOrgUser = await OrganizationTestHelpers.CreateUserAsync(_factory, _organization.Id, email,
-                OrganizationUserType.User, userStatusType: OrganizationUserStatusType.Accepted);
+            var acceptedOrgUser = await OrganizationTestHelpers.CreateUserAsync(
+                _factory, _organization.Id, email,
+                userType, userStatusType: OrganizationUserStatusType.Accepted);

            acceptedUsers.Add(acceptedOrgUser);
        }
@@ -311,12 +339,11 @@ public class OrganizationUserControllerTests : IClassFixture<ApiApplicationFacto
        return acceptedUsers;
    }

-    private async Task VerifyDefaultCollectionCreatedAsync(OrganizationUser orgUser)
+    private async Task VerifyDefaultCollectionCountAsync(OrganizationUser orgUser, int expectedCount)
    {
        var collectionRepository = _factory.GetService<ICollectionRepository>();
        var collections = await collectionRepository.GetManyByUserIdAsync(orgUser.UserId!.Value);
-        Assert.Single(collections);
-        Assert.Equal(_mockEncryptedString, collections.First().Name);
+        Assert.Equal(expectedCount, collections.Count);
    }

    private async Task VerifyUserConfirmedAsync(OrganizationUser orgUser, string expectedKey)
@@ -334,15 +361,4 @@ public class OrganizationUserControllerTests : IClassFixture<ApiApplicationFacto
            Assert.Equal(acceptedOrganizationUsers[i].key, confirmedUser.Key);
        }
    }
-
-    private async Task VerifyMultipleUsersHaveDefaultCollectionsAsync(List<OrganizationUser> acceptedOrganizationUsers)
-    {
-        var collectionRepository = _factory.GetService<ICollectionRepository>();
-        foreach (var acceptedOrganizationUser in acceptedOrganizationUsers)
-        {
-            var collections = await collectionRepository.GetManyByUserIdAsync(acceptedOrganizationUser.UserId!.Value);
-            Assert.Single(collections);
-            Assert.Equal(_mockEncryptedString, collections.First().Name);
-        }
-    }
 }