[PM-12740] Move CollectionAdminService to AC Team (#11269)

libs/admin-console/src/common/collections/abstractions/collection-admin.service.ts

@@ -0,0 +1,16 @@
+import { CollectionDetailsResponse } from "@bitwarden/common/vault/models/response/collection.response";
+
+import { CollectionAccessSelectionView, CollectionAdminView } from "../models";
+
+export abstract class CollectionAdminService {
+  getAll: (organizationId: string) => Promise<CollectionAdminView[]>;
+  get: (organizationId: string, collectionId: string) => Promise<CollectionAdminView | undefined>;
+  save: (collection: CollectionAdminView) => Promise<CollectionDetailsResponse>;
+  delete: (organizationId: string, collectionId: string) => Promise<void>;
+  bulkAssignAccess: (
+    organizationId: string,
+    collectionIds: string[],
+    users: CollectionAccessSelectionView[],
+    groups: CollectionAccessSelectionView[],
+  ) => Promise<void>;
+}

libs/admin-console/src/common/collections/abstractions/index.ts

@@ -0,0 +1 @@
+export * from "./collection-admin.service";

libs/admin-console/src/common/collections/index.ts

@@ -0,0 +1,3 @@
+export * from "./abstractions";
+export * from "./models";
+export * from "./services";

libs/admin-console/src/common/collections/models/bulk-collection-access.request.ts

@@ -0,0 +1,7 @@
+import { SelectionReadOnlyRequest } from "@bitwarden/common/admin-console/models/request/selection-read-only.request";
+
+export class BulkCollectionAccessRequest {
+  collectionIds: string[];
+  users: SelectionReadOnlyRequest[];
+  groups: SelectionReadOnlyRequest[];
+}

libs/admin-console/src/common/collections/models/collection-access-selection.view.ts

@@ -0,0 +1,28 @@
+import { View } from "@bitwarden/common/models/view/view";
+
+interface SelectionResponseLike {
+  id: string;
+  readOnly: boolean;
+  hidePasswords: boolean;
+  manage: boolean;
+}
+
+export class CollectionAccessSelectionView extends View {
+  readonly id: string;
+  readonly readOnly: boolean;
+  readonly hidePasswords: boolean;
+  readonly manage: boolean;
+
+  constructor(response?: SelectionResponseLike) {
+    super();
+
+    if (!response) {
+      return;
+    }
+
+    this.id = response.id;
+    this.readOnly = response.readOnly;
+    this.hidePasswords = response.hidePasswords;
+    this.manage = response.manage;
+  }
+}

libs/admin-console/src/common/collections/models/collection-admin.view.ts

@@ -0,0 +1,97 @@
+import { Organization } from "@bitwarden/common/admin-console/models/domain/organization";
+import { CollectionAccessDetailsResponse } from "@bitwarden/common/src/vault/models/response/collection.response";
+import { CollectionView } from "@bitwarden/common/vault/models/view/collection.view";
+
+import { CollectionAccessSelectionView } from "../models";
+
+export const Unassigned = "unassigned";
+
+export class CollectionAdminView extends CollectionView {
+  groups: CollectionAccessSelectionView[] = [];
+  users: CollectionAccessSelectionView[] = [];
+
+  /**
+   * Flag indicating the collection has no active user or group assigned to it with CanManage permissions
+   * In this case, the collection can be managed by admins/owners or custom users with appropriate permissions
+   */
+  unmanaged: boolean;
+
+  /**
+   * Flag indicating the user has been explicitly assigned to this Collection
+   */
+  assigned: boolean;
+
+  constructor(response?: CollectionAccessDetailsResponse) {
+    super(response);
+
+    if (!response) {
+      return;
+    }
+
+    this.groups = response.groups
+      ? response.groups.map((g) => new CollectionAccessSelectionView(g))
+      : [];
+
+    this.users = response.users
+      ? response.users.map((g) => new CollectionAccessSelectionView(g))
+      : [];
+
+    this.assigned = response.assigned;
+  }
+
+  /**
+   * Returns true if the user can edit a collection (including user and group access) from the Admin Console.
+   */
+  override canEdit(org: Organization): boolean {
+    return (
+      org?.canEditAnyCollection ||
+      (this.unmanaged && org?.canEditUnmanagedCollections) ||
+      super.canEdit(org)
+    );
+  }
+
+  /**
+   * Returns true if the user can delete a collection from the Admin Console.
+   */
+  override canDelete(org: Organization): boolean {
+    return org?.canDeleteAnyCollection || super.canDelete(org);
+  }
+
+  /**
+   * Whether the user can modify user access to this collection
+   */
+  canEditUserAccess(org: Organization): boolean {
+    return (
+      (org.permissions.manageUsers && org.allowAdminAccessToAllCollectionItems) || this.canEdit(org)
+    );
+  }
+
+  /**
+   * Whether the user can modify group access to this collection
+   */
+  canEditGroupAccess(org: Organization): boolean {
+    return (
+      (org.permissions.manageGroups && org.allowAdminAccessToAllCollectionItems) ||
+      this.canEdit(org)
+    );
+  }
+
+  /**
+   * Returns true if the user can view collection info and access in a read-only state from the Admin Console
+   */
+  override canViewCollectionInfo(org: Organization | undefined): boolean {
+    if (this.isUnassignedCollection) {
+      return false;
+    }
+
+    return this.manage || org?.isAdmin || org?.permissions.editAnyCollection;
+  }
+
+  /**
+   * True if this collection represents the pseudo "Unassigned" collection
+   * This is different from the "unmanaged" flag, which indicates that no users or groups have access to the collection
+   */
+  get isUnassignedCollection() {
+    return this.id === Unassigned;
+  }
+}

libs/admin-console/src/common/collections/models/index.ts

@@ -0,0 +1,3 @@
+export * from "./bulk-collection-access.request";
+export * from "./collection-access-selection.view";
+export * from "./collection-admin.view";

libs/admin-console/src/common/collections/services/default-collection-admin.service.ts

@@ -0,0 +1,169 @@
+import { ApiService } from "@bitwarden/common/abstractions/api.service";
+import { SelectionReadOnlyRequest } from "@bitwarden/common/admin-console/models/request/selection-read-only.request";
+import { CryptoService } from "@bitwarden/common/platform/abstractions/crypto.service";
+import { EncryptService } from "@bitwarden/common/platform/abstractions/encrypt.service";
+import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
+import { CollectionService } from "@bitwarden/common/vault/abstractions/collection.service";
+import { CollectionData } from "@bitwarden/common/vault/models/data/collection.data";
+import { CollectionRequest } from "@bitwarden/common/vault/models/request/collection.request";
+import {
+  CollectionAccessDetailsResponse,
+  CollectionDetailsResponse,
+  CollectionResponse,
+} from "@bitwarden/common/vault/models/response/collection.response";
+
+import { CollectionAdminService } from "../abstractions";
+import {
+  BulkCollectionAccessRequest,
+  CollectionAccessSelectionView,
+  CollectionAdminView,
+} from "../models";
+
+export class DefaultCollectionAdminService implements CollectionAdminService {
+  constructor(
+    private apiService: ApiService,
+    private cryptoService: CryptoService,
+    private encryptService: EncryptService,
+    private collectionService: CollectionService,
+  ) {}
+
+  async getAll(organizationId: string): Promise<CollectionAdminView[]> {
+    const collectionResponse =
+      await this.apiService.getManyCollectionsWithAccessDetails(organizationId);
+
+    if (collectionResponse?.data == null || collectionResponse.data.length === 0) {
+      return [];
+    }
+
+    return await this.decryptMany(organizationId, collectionResponse.data);
+  }
+
+  async get(
+    organizationId: string,
+    collectionId: string,
+  ): Promise<CollectionAdminView | undefined> {
+    const collectionResponse = await this.apiService.getCollectionAccessDetails(
+      organizationId,
+      collectionId,
+    );
+
+    if (collectionResponse == null) {
+      return undefined;
+    }
+
+    const [view] = await this.decryptMany(organizationId, [collectionResponse]);
+
+    return view;
+  }
+
+  async save(collection: CollectionAdminView): Promise<CollectionDetailsResponse> {
+    const request = await this.encrypt(collection);
+
+    let response: CollectionDetailsResponse;
+    if (collection.id == null) {
+      response = await this.apiService.postCollection(collection.organizationId, request);
+      collection.id = response.id;
+    } else {
+      response = await this.apiService.putCollection(
+        collection.organizationId,
+        collection.id,
+        request,
+      );
+    }
+
+    if (response.assigned) {
+      await this.collectionService.upsert(new CollectionData(response));
+    } else {
+      await this.collectionService.delete(collection.id);
+    }
+
+    return response;
+  }
+
+  async delete(organizationId: string, collectionId: string): Promise<void> {
+    await this.apiService.deleteCollection(organizationId, collectionId);
+  }
+
+  async bulkAssignAccess(
+    organizationId: string,
+    collectionIds: string[],
+    users: CollectionAccessSelectionView[],
+    groups: CollectionAccessSelectionView[],
+  ): Promise<void> {
+    const request = new BulkCollectionAccessRequest();
+    request.collectionIds = collectionIds;
+    request.users = users.map(
+      (u) => new SelectionReadOnlyRequest(u.id, u.readOnly, u.hidePasswords, u.manage),
+    );
+    request.groups = groups.map(
+      (g) => new SelectionReadOnlyRequest(g.id, g.readOnly, g.hidePasswords, g.manage),
+    );
+
+    await this.apiService.send(
+      "POST",
+      `/organizations/${organizationId}/collections/bulk-access`,
+      request,
+      true,
+      false,
+    );
+  }
+
+  private async decryptMany(
+    organizationId: string,
+    collections: CollectionResponse[] | CollectionAccessDetailsResponse[],
+  ): Promise<CollectionAdminView[]> {
+    const orgKey = await this.cryptoService.getOrgKey(organizationId);
+
+    const promises = collections.map(async (c) => {
+      const view = new CollectionAdminView();
+      view.id = c.id;
+      view.name = await this.encryptService.decryptToUtf8(new EncString(c.name), orgKey);
+      view.externalId = c.externalId;
+      view.organizationId = c.organizationId;
+
+      if (isCollectionAccessDetailsResponse(c)) {
+        view.groups = c.groups;
+        view.users = c.users;
+        view.assigned = c.assigned;
+        view.readOnly = c.readOnly;
+        view.hidePasswords = c.hidePasswords;
+        view.manage = c.manage;
+        view.unmanaged = c.unmanaged;
+      }
+
+      return view;
+    });
+
+    return await Promise.all(promises);
+  }
+
+  private async encrypt(model: CollectionAdminView): Promise<CollectionRequest> {
+    if (model.organizationId == null) {
+      throw new Error("Collection has no organization id.");
+    }
+    const key = await this.cryptoService.getOrgKey(model.organizationId);
+    if (key == null) {
+      throw new Error("No key for this collection's organization.");
+    }
+    const collection = new CollectionRequest();
+    collection.externalId = model.externalId;
+    collection.name = (await this.encryptService.encrypt(model.name, key)).encryptedString;
+    collection.groups = model.groups.map(
+      (group) =>
+        new SelectionReadOnlyRequest(group.id, group.readOnly, group.hidePasswords, group.manage),
+    );
+    collection.users = model.users.map(
+      (user) =>
+        new SelectionReadOnlyRequest(user.id, user.readOnly, user.hidePasswords, user.manage),
+    );
+    return collection;
+  }
+}
+
+function isCollectionAccessDetailsResponse(
+  response: CollectionResponse | CollectionAccessDetailsResponse,
+): response is CollectionAccessDetailsResponse {
+  const anyResponse = response as any;
+
+  return anyResponse?.groups instanceof Array && anyResponse?.users instanceof Array;
+}

libs/admin-console/src/common/collections/services/index.ts

@@ -0,0 +1 @@
+export * from "./default-collection-admin.service";

libs/admin-console/src/common/index.ts

@@ -1 +1,2 @@
 export * from "./organization-user";
+export * from "./collections";