mirror of
https://github.com/bitwarden/browser
synced 2025-12-11 13:53:34 +00:00
[PM-21451] [Vault] [CLI] Changes to Enforce "Remove card item type policy" (#15187)
* Created new service to get restricted types for the CLI * Created service for cli to get restricted types * Utilized restriction service in commands * Renamed function * Refactored service and made it simpler to check when a cipher type is restricted or not * Moved service to common so it can be utilized on the cli * Refactored service to use restricted type service * Removed userId passing from commands * Exclude restrict types from export * Added missing dependency * Added missing dependency * Added missing dependency * Added service utils commit from desktop PR * refactored to use reusable function * updated reference * updated reference * Fixed merge conflicts * Refactired services to use isCipherRestricted * Refactored restricted item types service * Updated services to use the reafctored item types service
This commit is contained in:
SmithThe4th
GitHub
@@ -204,6 +204,7 @@ import { DefaultCipherEncryptionService } from "@bitwarden/common/vault/services
|
||||
import { CipherFileUploadService } from "@bitwarden/common/vault/services/file-upload/cipher-file-upload.service";
|
||||
import { FolderApiService } from "@bitwarden/common/vault/services/folder/folder-api.service";
|
||||
import { FolderService } from "@bitwarden/common/vault/services/folder/folder.service";
|
||||
import { RestrictedItemTypesService } from "@bitwarden/common/vault/services/restricted-item-types.service";
|
||||
import { TotpService } from "@bitwarden/common/vault/services/totp.service";
|
||||
import { VaultSettingsService } from "@bitwarden/common/vault/services/vault-settings/vault-settings.service";
|
||||
import { DefaultTaskService, TaskService } from "@bitwarden/common/vault/tasks";
|
||||
@@ -411,6 +412,7 @@ export default class MainBackground {
|
||||
inlineMenuFieldQualificationService: InlineMenuFieldQualificationService;
|
||||
taskService: TaskService;
|
||||
cipherEncryptionService: CipherEncryptionService;
|
||||
restrictedItemTypesService: RestrictedItemTypesService;
|
||||
|
||||
ipcContentScriptManagerService: IpcContentScriptManagerService;
|
||||
ipcService: IpcService;
|
||||
@@ -1043,6 +1045,13 @@ export default class MainBackground {
|
||||
this.sdkService,
|
||||
);
|
||||
|
||||
this.restrictedItemTypesService = new RestrictedItemTypesService(
|
||||
this.configService,
|
||||
this.accountService,
|
||||
this.organizationService,
|
||||
this.policyService,
|
||||
);
|
||||
|
||||
this.individualVaultExportService = new IndividualVaultExportService(
|
||||
this.folderService,
|
||||
this.cipherService,
|
||||
@@ -1053,6 +1062,7 @@ export default class MainBackground {
|
||||
this.kdfConfigService,
|
||||
this.accountService,
|
||||
this.apiService,
|
||||
this.restrictedItemTypesService,
|
||||
);
|
||||
|
||||
this.organizationVaultExportService = new OrganizationVaultExportService(
|
||||
@@ -1065,6 +1075,7 @@ export default class MainBackground {
|
||||
this.collectionService,
|
||||
this.kdfConfigService,
|
||||
this.accountService,
|
||||
this.restrictedItemTypesService,
|
||||
);
|
||||
|
||||
this.exportService = new VaultExportService(
|
||||
|
||||
@@ -76,6 +76,7 @@ describe("VaultPopupListFiltersService", () => {
|
||||
|
||||
const restrictedItemTypesService = {
|
||||
restricted$: new BehaviorSubject<RestrictedCipherType[]>([]),
|
||||
isCipherRestricted: jest.fn().mockReturnValue(false),
|
||||
};
|
||||
|
||||
beforeEach(() => {
|
||||
@@ -729,6 +730,7 @@ function createSeededVaultPopupListFiltersService(
|
||||
const accountServiceMock = mockAccountServiceWith("userId" as UserId);
|
||||
const restrictedItemTypesServiceMock = {
|
||||
restricted$: new BehaviorSubject<RestrictedCipherType[]>([]),
|
||||
isCipherRestricted: jest.fn().mockReturnValue(false),
|
||||
} as any;
|
||||
const formBuilderInstance = new FormBuilder();
|
||||
|
||||
|
||||
@@ -39,10 +39,7 @@ import { ITreeNodeObject, TreeNode } from "@bitwarden/common/vault/models/domain
|
||||
import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
|
||||
import { FolderView } from "@bitwarden/common/vault/models/view/folder.view";
|
||||
import { ServiceUtils } from "@bitwarden/common/vault/service-utils";
|
||||
import {
|
||||
isCipherViewRestricted,
|
||||
RestrictedItemTypesService,
|
||||
} from "@bitwarden/common/vault/services/restricted-item-types.service";
|
||||
import { RestrictedItemTypesService } from "@bitwarden/common/vault/services/restricted-item-types.service";
|
||||
import { CIPHER_MENU_ITEMS } from "@bitwarden/common/vault/types/cipher-menu-items";
|
||||
import { ChipSelectOption } from "@bitwarden/components";
|
||||
|
||||
@@ -230,7 +227,7 @@ export class VaultPopupListFiltersService {
|
||||
}
|
||||
|
||||
// Check if cipher type is restricted (with organization exemptions)
|
||||
if (isCipherViewRestricted(cipher, restrictions)) {
|
||||
if (this.restrictedItemTypesService.isCipherRestricted(cipher, restrictions)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
@@ -24,6 +24,7 @@ import { Response } from "../models/response";
|
||||
import { CliUtils } from "../utils";
|
||||
import { CipherResponse } from "../vault/models/cipher.response";
|
||||
import { FolderResponse } from "../vault/models/folder.response";
|
||||
import { CliRestrictedItemTypesService } from "../vault/services/cli-restricted-item-types.service";
|
||||
|
||||
export class EditCommand {
|
||||
constructor(
|
||||
@@ -34,6 +35,7 @@ export class EditCommand {
|
||||
private apiService: ApiService,
|
||||
private folderApiService: FolderApiServiceAbstraction,
|
||||
private accountService: AccountService,
|
||||
private cliRestrictedItemTypesService: CliRestrictedItemTypesService,
|
||||
) {}
|
||||
|
||||
async run(
|
||||
@@ -95,6 +97,13 @@ export class EditCommand {
|
||||
return Response.badRequest("You may not edit a deleted item. Use the restore command first.");
|
||||
}
|
||||
cipherView = CipherExport.toView(req, cipherView);
|
||||
|
||||
const isCipherRestricted =
|
||||
await this.cliRestrictedItemTypesService.isCipherRestricted(cipherView);
|
||||
if (isCipherRestricted) {
|
||||
return Response.error("Editing this item type is restricted by organizational policy.");
|
||||
}
|
||||
|
||||
const encCipher = await this.cipherService.encrypt(cipherView, activeUserId);
|
||||
try {
|
||||
const updatedCipher = await this.cipherService.updateWithServer(encCipher);
|
||||
|
||||
@@ -27,7 +27,7 @@ import { ErrorResponse } from "@bitwarden/common/models/response/error.response"
|
||||
import { Utils } from "@bitwarden/common/platform/misc/utils";
|
||||
import { EncString } from "@bitwarden/common/platform/models/domain/enc-string";
|
||||
import { SendType } from "@bitwarden/common/tools/send/enums/send-type";
|
||||
import { CipherId, OrganizationId } from "@bitwarden/common/types/guid";
|
||||
import { CipherId, OrganizationId, UserId } from "@bitwarden/common/types/guid";
|
||||
import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
|
||||
import { FolderService } from "@bitwarden/common/vault/abstractions/folder/folder.service.abstraction";
|
||||
import { TotpService } from "@bitwarden/common/vault/abstractions/totp.service";
|
||||
@@ -48,6 +48,7 @@ import { SendResponse } from "../tools/send/models/send.response";
|
||||
import { CliUtils } from "../utils";
|
||||
import { CipherResponse } from "../vault/models/cipher.response";
|
||||
import { FolderResponse } from "../vault/models/folder.response";
|
||||
import { CliRestrictedItemTypesService } from "../vault/services/cli-restricted-item-types.service";
|
||||
|
||||
import { DownloadCommand } from "./download.command";
|
||||
|
||||
@@ -66,6 +67,7 @@ export class GetCommand extends DownloadCommand {
|
||||
private eventCollectionService: EventCollectionService,
|
||||
private accountProfileService: BillingAccountProfileStateService,
|
||||
private accountService: AccountService,
|
||||
private cliRestrictedItemTypesService: CliRestrictedItemTypesService,
|
||||
) {
|
||||
super(encryptService, apiService);
|
||||
}
|
||||
@@ -110,16 +112,16 @@ export class GetCommand extends DownloadCommand {
|
||||
}
|
||||
}
|
||||
|
||||
private async getCipherView(id: string): Promise<CipherView | CipherView[]> {
|
||||
private async getCipherView(id: string, userId: UserId): Promise<CipherView | CipherView[]> {
|
||||
let decCipher: CipherView = null;
|
||||
const activeUserId = await firstValueFrom(this.accountService.activeAccount$.pipe(getUserId));
|
||||
|
||||
if (Utils.isGuid(id)) {
|
||||
const cipher = await this.cipherService.get(id, activeUserId);
|
||||
const cipher = await this.cipherService.get(id, userId);
|
||||
if (cipher != null) {
|
||||
decCipher = await this.cipherService.decrypt(cipher, activeUserId);
|
||||
decCipher = await this.cipherService.decrypt(cipher, userId);
|
||||
}
|
||||
} else if (id.trim() !== "") {
|
||||
let ciphers = await this.cipherService.getAllDecrypted(activeUserId);
|
||||
let ciphers = await this.cipherService.getAllDecrypted(userId);
|
||||
ciphers = this.searchService.searchCiphersBasic(ciphers, id);
|
||||
if (ciphers.length > 1) {
|
||||
return ciphers;
|
||||
@@ -133,20 +135,45 @@ export class GetCommand extends DownloadCommand {
|
||||
}
|
||||
|
||||
private async getCipher(id: string, filter?: (c: CipherView) => boolean) {
|
||||
let decCipher = await this.getCipherView(id);
|
||||
const activeUserId = await firstValueFrom(this.accountService.activeAccount$.pipe(getUserId));
|
||||
|
||||
let decCipher = await this.getCipherView(id, activeUserId);
|
||||
if (decCipher == null) {
|
||||
return Response.notFound();
|
||||
}
|
||||
|
||||
if (Array.isArray(decCipher)) {
|
||||
// Apply restricted ciphers filter
|
||||
decCipher = await this.cliRestrictedItemTypesService.filterRestrictedCiphers(decCipher);
|
||||
|
||||
if (decCipher.length === 0) {
|
||||
return Response.error("Access to this item type is restricted by organizational policy.");
|
||||
}
|
||||
|
||||
if (filter != null) {
|
||||
decCipher = decCipher.filter(filter);
|
||||
if (decCipher.length === 1) {
|
||||
decCipher = decCipher[0];
|
||||
}
|
||||
}
|
||||
if (Array.isArray(decCipher)) {
|
||||
|
||||
if (decCipher.length === 0) {
|
||||
return Response.notFound();
|
||||
}
|
||||
|
||||
if (decCipher.length === 1) {
|
||||
decCipher = decCipher[0];
|
||||
} else {
|
||||
return Response.multipleResults(decCipher.map((c) => c.id));
|
||||
}
|
||||
} else {
|
||||
const isCipherRestricted =
|
||||
await this.cliRestrictedItemTypesService.isCipherRestricted(decCipher);
|
||||
if (isCipherRestricted) {
|
||||
return Response.error("Access to this item type is restricted by organizational policy.");
|
||||
}
|
||||
|
||||
// Apply filter if provided to single cipher
|
||||
if (filter != null && !filter(decCipher)) {
|
||||
return Response.notFound();
|
||||
}
|
||||
}
|
||||
|
||||
await this.eventCollectionService.collect(
|
||||
@@ -317,7 +344,8 @@ export class GetCommand extends DownloadCommand {
|
||||
return cipherResponse;
|
||||
}
|
||||
|
||||
const cipher = await this.getCipherView(itemId);
|
||||
const activeUserId = await firstValueFrom(this.accountService.activeAccount$.pipe(getUserId));
|
||||
const cipher = await this.getCipherView(itemId, activeUserId);
|
||||
if (
|
||||
cipher == null ||
|
||||
Array.isArray(cipher) ||
|
||||
@@ -345,7 +373,6 @@ export class GetCommand extends DownloadCommand {
|
||||
return Response.multipleResults(attachments.map((a) => a.id));
|
||||
}
|
||||
|
||||
const activeUserId = await firstValueFrom(this.accountService.activeAccount$.pipe(getUserId));
|
||||
const canAccessPremium = await firstValueFrom(
|
||||
this.accountProfileService.hasPremiumFromAnySource$(activeUserId),
|
||||
);
|
||||
|
||||
@@ -29,6 +29,7 @@ import { ListResponse } from "../models/response/list.response";
|
||||
import { CliUtils } from "../utils";
|
||||
import { CipherResponse } from "../vault/models/cipher.response";
|
||||
import { FolderResponse } from "../vault/models/folder.response";
|
||||
import { CliRestrictedItemTypesService } from "../vault/services/cli-restricted-item-types.service";
|
||||
|
||||
export class ListCommand {
|
||||
constructor(
|
||||
@@ -41,6 +42,7 @@ export class ListCommand {
|
||||
private apiService: ApiService,
|
||||
private eventCollectionService: EventCollectionService,
|
||||
private accountService: AccountService,
|
||||
private cliRestrictedItemTypesService: CliRestrictedItemTypesService,
|
||||
) {}
|
||||
|
||||
async run(object: string, cmdOptions: Record<string, any>): Promise<Response> {
|
||||
@@ -134,6 +136,8 @@ export class ListCommand {
|
||||
ciphers = this.searchService.searchCiphersBasic(ciphers, options.search, options.trash);
|
||||
}
|
||||
|
||||
ciphers = await this.cliRestrictedItemTypesService.filterRestrictedCiphers(ciphers);
|
||||
|
||||
await this.eventCollectionService.collectMany(EventType.Cipher_ClientViewed, ciphers, true);
|
||||
|
||||
const res = new ListResponse(ciphers.map((o) => new CipherResponse(o)));
|
||||
|
||||
@@ -66,6 +66,7 @@ export class OssServeConfigurator {
|
||||
this.serviceContainer.eventCollectionService,
|
||||
this.serviceContainer.billingAccountProfileStateService,
|
||||
this.serviceContainer.accountService,
|
||||
this.serviceContainer.cliRestrictedItemTypesService,
|
||||
);
|
||||
this.listCommand = new ListCommand(
|
||||
this.serviceContainer.cipherService,
|
||||
@@ -77,6 +78,7 @@ export class OssServeConfigurator {
|
||||
this.serviceContainer.apiService,
|
||||
this.serviceContainer.eventCollectionService,
|
||||
this.serviceContainer.accountService,
|
||||
this.serviceContainer.cliRestrictedItemTypesService,
|
||||
);
|
||||
this.createCommand = new CreateCommand(
|
||||
this.serviceContainer.cipherService,
|
||||
@@ -88,6 +90,7 @@ export class OssServeConfigurator {
|
||||
this.serviceContainer.billingAccountProfileStateService,
|
||||
this.serviceContainer.organizationService,
|
||||
this.serviceContainer.accountService,
|
||||
this.serviceContainer.cliRestrictedItemTypesService,
|
||||
);
|
||||
this.editCommand = new EditCommand(
|
||||
this.serviceContainer.cipherService,
|
||||
@@ -97,6 +100,7 @@ export class OssServeConfigurator {
|
||||
this.serviceContainer.apiService,
|
||||
this.serviceContainer.folderApiService,
|
||||
this.serviceContainer.accountService,
|
||||
this.serviceContainer.cliRestrictedItemTypesService,
|
||||
);
|
||||
this.generateCommand = new GenerateCommand(
|
||||
this.serviceContainer.passwordGenerationService,
|
||||
@@ -117,6 +121,7 @@ export class OssServeConfigurator {
|
||||
this.serviceContainer.billingAccountProfileStateService,
|
||||
this.serviceContainer.cipherAuthorizationService,
|
||||
this.serviceContainer.accountService,
|
||||
this.serviceContainer.cliRestrictedItemTypesService,
|
||||
);
|
||||
this.confirmCommand = new ConfirmCommand(
|
||||
this.serviceContainer.apiService,
|
||||
|
||||
@@ -150,6 +150,7 @@ import { DefaultCipherEncryptionService } from "@bitwarden/common/vault/services
|
||||
import { CipherFileUploadService } from "@bitwarden/common/vault/services/file-upload/cipher-file-upload.service";
|
||||
import { FolderApiService } from "@bitwarden/common/vault/services/folder/folder-api.service";
|
||||
import { FolderService } from "@bitwarden/common/vault/services/folder/folder.service";
|
||||
import { RestrictedItemTypesService } from "@bitwarden/common/vault/services/restricted-item-types.service";
|
||||
import { TotpService } from "@bitwarden/common/vault/services/totp.service";
|
||||
import {
|
||||
legacyPasswordGenerationServiceFactory,
|
||||
@@ -187,6 +188,7 @@ import { I18nService } from "../platform/services/i18n.service";
|
||||
import { LowdbStorageService } from "../platform/services/lowdb-storage.service";
|
||||
import { NodeApiService } from "../platform/services/node-api.service";
|
||||
import { NodeEnvSecureStorageService } from "../platform/services/node-env-secure-storage.service";
|
||||
import { CliRestrictedItemTypesService } from "../vault/services/cli-restricted-item-types.service";
|
||||
|
||||
// Polyfills
|
||||
global.DOMParser = new jsdom.JSDOM().window.DOMParser;
|
||||
@@ -287,6 +289,8 @@ export class ServiceContainer {
|
||||
masterPasswordApiService: MasterPasswordApiServiceAbstraction;
|
||||
bulkEncryptService: FallbackBulkEncryptService;
|
||||
cipherEncryptionService: CipherEncryptionService;
|
||||
restrictedItemTypesService: RestrictedItemTypesService;
|
||||
cliRestrictedItemTypesService: CliRestrictedItemTypesService;
|
||||
|
||||
constructor() {
|
||||
let p = null;
|
||||
@@ -811,6 +815,7 @@ export class ServiceContainer {
|
||||
this.kdfConfigService,
|
||||
this.accountService,
|
||||
this.apiService,
|
||||
this.restrictedItemTypesService,
|
||||
);
|
||||
|
||||
this.organizationExportService = new OrganizationVaultExportService(
|
||||
@@ -823,6 +828,7 @@ export class ServiceContainer {
|
||||
this.collectionService,
|
||||
this.kdfConfigService,
|
||||
this.accountService,
|
||||
this.restrictedItemTypesService,
|
||||
);
|
||||
|
||||
this.exportService = new VaultExportService(
|
||||
@@ -864,6 +870,17 @@ export class ServiceContainer {
|
||||
);
|
||||
|
||||
this.masterPasswordApiService = new MasterPasswordApiService(this.apiService, this.logService);
|
||||
|
||||
this.restrictedItemTypesService = new RestrictedItemTypesService(
|
||||
this.configService,
|
||||
this.accountService,
|
||||
this.organizationService,
|
||||
this.policyService,
|
||||
);
|
||||
|
||||
this.cliRestrictedItemTypesService = new CliRestrictedItemTypesService(
|
||||
this.restrictedItemTypesService,
|
||||
);
|
||||
}
|
||||
|
||||
async logout() {
|
||||
|
||||
@@ -153,6 +153,7 @@ export class SendProgram extends BaseProgram {
|
||||
this.serviceContainer.eventCollectionService,
|
||||
this.serviceContainer.billingAccountProfileStateService,
|
||||
this.serviceContainer.accountService,
|
||||
this.serviceContainer.cliRestrictedItemTypesService,
|
||||
);
|
||||
const response = await cmd.run("template", object, null);
|
||||
this.processResponse(response);
|
||||
|
||||
@@ -114,6 +114,7 @@ export class VaultProgram extends BaseProgram {
|
||||
this.serviceContainer.apiService,
|
||||
this.serviceContainer.eventCollectionService,
|
||||
this.serviceContainer.accountService,
|
||||
this.serviceContainer.cliRestrictedItemTypesService,
|
||||
);
|
||||
const response = await command.run(object, cmd);
|
||||
|
||||
@@ -188,6 +189,7 @@ export class VaultProgram extends BaseProgram {
|
||||
this.serviceContainer.eventCollectionService,
|
||||
this.serviceContainer.billingAccountProfileStateService,
|
||||
this.serviceContainer.accountService,
|
||||
this.serviceContainer.cliRestrictedItemTypesService,
|
||||
);
|
||||
const response = await command.run(object, id, cmd);
|
||||
this.processResponse(response);
|
||||
@@ -233,6 +235,7 @@ export class VaultProgram extends BaseProgram {
|
||||
this.serviceContainer.billingAccountProfileStateService,
|
||||
this.serviceContainer.organizationService,
|
||||
this.serviceContainer.accountService,
|
||||
this.serviceContainer.cliRestrictedItemTypesService,
|
||||
);
|
||||
const response = await command.run(object, encodedJson, cmd);
|
||||
this.processResponse(response);
|
||||
@@ -280,6 +283,7 @@ export class VaultProgram extends BaseProgram {
|
||||
this.serviceContainer.apiService,
|
||||
this.serviceContainer.folderApiService,
|
||||
this.serviceContainer.accountService,
|
||||
this.serviceContainer.cliRestrictedItemTypesService,
|
||||
);
|
||||
const response = await command.run(object, id, encodedJson, cmd);
|
||||
this.processResponse(response);
|
||||
@@ -323,6 +327,7 @@ export class VaultProgram extends BaseProgram {
|
||||
this.serviceContainer.billingAccountProfileStateService,
|
||||
this.serviceContainer.cipherAuthorizationService,
|
||||
this.serviceContainer.accountService,
|
||||
this.serviceContainer.cliRestrictedItemTypesService,
|
||||
);
|
||||
const response = await command.run(object, id, cmd);
|
||||
this.processResponse(response);
|
||||
|
||||
@@ -29,6 +29,7 @@ import { CliUtils } from "../utils";
|
||||
|
||||
import { CipherResponse } from "./models/cipher.response";
|
||||
import { FolderResponse } from "./models/folder.response";
|
||||
import { CliRestrictedItemTypesService } from "./services/cli-restricted-item-types.service";
|
||||
|
||||
export class CreateCommand {
|
||||
constructor(
|
||||
@@ -41,6 +42,7 @@ export class CreateCommand {
|
||||
private accountProfileService: BillingAccountProfileStateService,
|
||||
private organizationService: OrganizationService,
|
||||
private accountService: AccountService,
|
||||
private cliRestrictedItemTypesService: CliRestrictedItemTypesService,
|
||||
) {}
|
||||
|
||||
async run(
|
||||
@@ -90,6 +92,15 @@ export class CreateCommand {
|
||||
|
||||
private async createCipher(req: CipherExport) {
|
||||
const activeUserId = await firstValueFrom(this.accountService.activeAccount$.pipe(getUserId));
|
||||
|
||||
const cipherView = CipherExport.toView(req);
|
||||
const isCipherTypeRestricted =
|
||||
await this.cliRestrictedItemTypesService.isCipherRestricted(cipherView);
|
||||
|
||||
if (isCipherTypeRestricted) {
|
||||
return Response.error("Creating this item type is restricted by organizational policy.");
|
||||
}
|
||||
|
||||
const cipher = await this.cipherService.encrypt(CipherExport.toView(req), activeUserId);
|
||||
try {
|
||||
const newCipher = await this.cipherService.createWithServer(cipher);
|
||||
|
||||
@@ -13,6 +13,8 @@ import { CipherAuthorizationService } from "@bitwarden/common/vault/services/cip
|
||||
import { Response } from "../models/response";
|
||||
import { CliUtils } from "../utils";
|
||||
|
||||
import { CliRestrictedItemTypesService } from "./services/cli-restricted-item-types.service";
|
||||
|
||||
export class DeleteCommand {
|
||||
constructor(
|
||||
private cipherService: CipherService,
|
||||
@@ -22,6 +24,7 @@ export class DeleteCommand {
|
||||
private accountProfileService: BillingAccountProfileStateService,
|
||||
private cipherAuthorizationService: CipherAuthorizationService,
|
||||
private accountService: AccountService,
|
||||
private cliRestrictedItemTypesService: CliRestrictedItemTypesService,
|
||||
) {}
|
||||
|
||||
async run(object: string, id: string, cmdOptions: Record<string, any>): Promise<Response> {
|
||||
@@ -60,6 +63,12 @@ export class DeleteCommand {
|
||||
return Response.error("You do not have permission to delete this item.");
|
||||
}
|
||||
|
||||
const isCipherTypeRestricted =
|
||||
await this.cliRestrictedItemTypesService.isCipherRestricted(cipher);
|
||||
if (isCipherTypeRestricted) {
|
||||
return Response.error("Deleting this item type is restricted by organizational policy.");
|
||||
}
|
||||
|
||||
try {
|
||||
if (options.permanent) {
|
||||
await this.cipherService.deleteWithServer(id, activeUserId);
|
||||
|
||||
@@ -0,0 +1,111 @@
|
||||
import { BehaviorSubject, of } from "rxjs";
|
||||
|
||||
import { CipherType } from "@bitwarden/common/vault/enums";
|
||||
import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
|
||||
import {
|
||||
RestrictedItemTypesService,
|
||||
RestrictedCipherType,
|
||||
} from "@bitwarden/common/vault/services/restricted-item-types.service";
|
||||
|
||||
import { CliRestrictedItemTypesService } from "./cli-restricted-item-types.service";
|
||||
|
||||
describe("CliRestrictedItemTypesService", () => {
|
||||
let service: CliRestrictedItemTypesService;
|
||||
let restrictedSubject: BehaviorSubject<RestrictedCipherType[]>;
|
||||
let restrictedItemTypesService: Partial<RestrictedItemTypesService>;
|
||||
|
||||
const cardCipher: CipherView = {
|
||||
id: "cipher1",
|
||||
type: CipherType.Card,
|
||||
organizationId: "org1",
|
||||
} as CipherView;
|
||||
|
||||
const loginCipher: CipherView = {
|
||||
id: "cipher2",
|
||||
type: CipherType.Login,
|
||||
organizationId: "org1",
|
||||
} as CipherView;
|
||||
|
||||
const identityCipher: CipherView = {
|
||||
id: "cipher3",
|
||||
type: CipherType.Identity,
|
||||
organizationId: "org2",
|
||||
} as CipherView;
|
||||
|
||||
beforeEach(() => {
|
||||
restrictedSubject = new BehaviorSubject<RestrictedCipherType[]>([]);
|
||||
|
||||
restrictedItemTypesService = {
|
||||
restricted$: restrictedSubject,
|
||||
isCipherRestricted: jest.fn(),
|
||||
isCipherRestricted$: jest.fn(),
|
||||
};
|
||||
|
||||
service = new CliRestrictedItemTypesService(
|
||||
restrictedItemTypesService as RestrictedItemTypesService,
|
||||
);
|
||||
});
|
||||
|
||||
describe("filterRestrictedCiphers", () => {
|
||||
it("filters out restricted cipher types from array", async () => {
|
||||
restrictedSubject.next([{ cipherType: CipherType.Card, allowViewOrgIds: [] }]);
|
||||
|
||||
(restrictedItemTypesService.isCipherRestricted as jest.Mock)
|
||||
.mockReturnValueOnce(true)
|
||||
.mockReturnValueOnce(false)
|
||||
.mockReturnValueOnce(false);
|
||||
const ciphers = [cardCipher, loginCipher, identityCipher];
|
||||
|
||||
const result = await service.filterRestrictedCiphers(ciphers);
|
||||
|
||||
expect(result).toEqual([loginCipher, identityCipher]);
|
||||
});
|
||||
|
||||
it("returns all ciphers when no restrictions exist", async () => {
|
||||
restrictedSubject.next([]);
|
||||
|
||||
(restrictedItemTypesService.isCipherRestricted as jest.Mock).mockReturnValue(false);
|
||||
|
||||
const ciphers = [cardCipher, loginCipher, identityCipher];
|
||||
const result = await service.filterRestrictedCiphers(ciphers);
|
||||
|
||||
expect(result).toEqual(ciphers);
|
||||
});
|
||||
|
||||
it("handles empty cipher array", async () => {
|
||||
const result = await service.filterRestrictedCiphers([]);
|
||||
|
||||
expect(result).toEqual([]);
|
||||
});
|
||||
});
|
||||
|
||||
describe("isCipherRestricted", () => {
|
||||
it("returns true for restricted cipher type with no organization exemptions", async () => {
|
||||
(restrictedItemTypesService.isCipherRestricted$ as jest.Mock).mockReturnValue(of(true));
|
||||
|
||||
const result = await service.isCipherRestricted(cardCipher);
|
||||
expect(result).toBe(true);
|
||||
});
|
||||
|
||||
it("returns false for non-restricted cipher type", async () => {
|
||||
(restrictedItemTypesService.isCipherRestricted$ as jest.Mock).mockReturnValue(of(false));
|
||||
|
||||
const result = await service.isCipherRestricted(loginCipher);
|
||||
expect(result).toBe(false);
|
||||
});
|
||||
|
||||
it("returns false when no restrictions exist", async () => {
|
||||
(restrictedItemTypesService.isCipherRestricted$ as jest.Mock).mockReturnValue(of(false));
|
||||
|
||||
const result = await service.isCipherRestricted(cardCipher);
|
||||
expect(result).toBe(false);
|
||||
});
|
||||
|
||||
it("returns false for organization cipher when organization is in allowViewOrgIds", async () => {
|
||||
(restrictedItemTypesService.isCipherRestricted$ as jest.Mock).mockReturnValue(of(false));
|
||||
|
||||
const result = await service.isCipherRestricted(cardCipher);
|
||||
expect(result).toBe(false);
|
||||
});
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,45 @@
|
||||
import { firstValueFrom } from "rxjs";
|
||||
|
||||
import { Cipher } from "@bitwarden/common/vault/models/domain/cipher";
|
||||
import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
|
||||
import {
|
||||
RestrictedCipherType,
|
||||
RestrictedItemTypesService,
|
||||
} from "@bitwarden/common/vault/services/restricted-item-types.service";
|
||||
|
||||
export class CliRestrictedItemTypesService {
|
||||
constructor(private restrictedItemTypesService: RestrictedItemTypesService) {}
|
||||
|
||||
/**
|
||||
* Gets all restricted cipher types for the current user.
|
||||
*
|
||||
* @returns Promise resolving to array of restricted cipher types with allowed organization IDs
|
||||
*/
|
||||
async getRestrictedTypes(): Promise<RestrictedCipherType[]> {
|
||||
return firstValueFrom(this.restrictedItemTypesService.restricted$);
|
||||
}
|
||||
|
||||
/**
|
||||
* Filters out restricted cipher types from an array of ciphers.
|
||||
*
|
||||
* @param ciphers - Array of ciphers to filter
|
||||
* @returns Promise resolving to filtered array with restricted ciphers removed
|
||||
*/
|
||||
async filterRestrictedCiphers(ciphers: CipherView[]): Promise<CipherView[]> {
|
||||
const restrictions = await this.getRestrictedTypes();
|
||||
|
||||
return ciphers.filter(
|
||||
(cipher) => !this.restrictedItemTypesService.isCipherRestricted(cipher, restrictions),
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if a specific cipher type is restricted for the user.
|
||||
*
|
||||
* @param cipherType - The cipher type to check
|
||||
* @returns Promise resolving to true if the cipher type is restricted, false otherwise
|
||||
*/
|
||||
async isCipherRestricted(cipher: Cipher | CipherView): Promise<boolean> {
|
||||
return firstValueFrom(this.restrictedItemTypesService.isCipherRestricted$(cipher));
|
||||
}
|
||||
}
|
||||
@@ -3,7 +3,6 @@
|
||||
import { Unassigned } from "@bitwarden/admin-console/common";
|
||||
import { CipherType } from "@bitwarden/common/vault/enums";
|
||||
import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
|
||||
import { RestrictedCipherType } from "@bitwarden/common/vault/services/restricted-item-types.service";
|
||||
|
||||
import { createFilterFunction } from "./filter-function";
|
||||
import { All } from "./routed-vault-filter.model";
|
||||
@@ -215,46 +214,6 @@ describe("createFilter", () => {
|
||||
expect(result).toBe(true);
|
||||
});
|
||||
});
|
||||
|
||||
describe("given restricted types", () => {
|
||||
const restrictedTypes: RestrictedCipherType[] = [
|
||||
{ cipherType: CipherType.Login, allowViewOrgIds: [] },
|
||||
];
|
||||
|
||||
it("should filter out a cipher whose type is fully restricted", () => {
|
||||
const cipher = createCipher({ type: CipherType.Login });
|
||||
const filterFunction = createFilterFunction({}, restrictedTypes);
|
||||
|
||||
expect(filterFunction(cipher)).toBe(false);
|
||||
});
|
||||
|
||||
it("should allow a cipher when the cipher's organization allows it", () => {
|
||||
const cipher = createCipher({ type: CipherType.Login, organizationId: "org1" });
|
||||
const restricted: RestrictedCipherType[] = [
|
||||
{ cipherType: CipherType.Login, allowViewOrgIds: ["org1"] },
|
||||
];
|
||||
const filterFunction2 = createFilterFunction({}, restricted);
|
||||
|
||||
expect(filterFunction2(cipher)).toBe(true);
|
||||
});
|
||||
|
||||
it("should filter out a personal vault cipher when the owning orgs does not allow it", () => {
|
||||
const cipher = createCipher({ type: CipherType.Card, organizationId: "org1" });
|
||||
const restricted2: RestrictedCipherType[] = [
|
||||
{ cipherType: CipherType.Card, allowViewOrgIds: [] },
|
||||
];
|
||||
const filterFunction3 = createFilterFunction({}, restricted2);
|
||||
|
||||
expect(filterFunction3(cipher)).toBe(false);
|
||||
});
|
||||
|
||||
it("should not filter a cipher if there are no restricted types", () => {
|
||||
const cipher = createCipher({ type: CipherType.Login });
|
||||
const filterFunction = createFilterFunction({}, []);
|
||||
|
||||
expect(filterFunction(cipher)).toBe(true);
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
function createCipher(options: Partial<CipherView> = {}) {
|
||||
|
||||
@@ -1,19 +1,12 @@
|
||||
import { Unassigned } from "@bitwarden/admin-console/common";
|
||||
import { CipherType } from "@bitwarden/common/vault/enums";
|
||||
import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
|
||||
import {
|
||||
isCipherViewRestricted,
|
||||
RestrictedCipherType,
|
||||
} from "@bitwarden/common/vault/services/restricted-item-types.service";
|
||||
|
||||
import { All, RoutedVaultFilterModel } from "./routed-vault-filter.model";
|
||||
|
||||
export type FilterFunction = (cipher: CipherView) => boolean;
|
||||
|
||||
export function createFilterFunction(
|
||||
filter: RoutedVaultFilterModel,
|
||||
restrictedTypes?: RestrictedCipherType[],
|
||||
): FilterFunction {
|
||||
export function createFilterFunction(filter: RoutedVaultFilterModel): FilterFunction {
|
||||
return (cipher) => {
|
||||
if (filter.type === "favorites" && !cipher.favorite) {
|
||||
return false;
|
||||
@@ -86,10 +79,7 @@ export function createFilterFunction(
|
||||
) {
|
||||
return false;
|
||||
}
|
||||
// Restricted types
|
||||
if (restrictedTypes && isCipherViewRestricted(cipher, restrictedTypes)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
};
|
||||
}
|
||||
|
||||
@@ -354,17 +354,26 @@ export class VaultComponent implements OnInit, OnDestroy {
|
||||
|
||||
this.currentSearchText$ = this.route.queryParams.pipe(map((queryParams) => queryParams.search));
|
||||
|
||||
const ciphers$ = combineLatest([
|
||||
/**
|
||||
* This observable filters the ciphers based on the active user ID and the restricted item types.
|
||||
*/
|
||||
const allowedCiphers$ = combineLatest([
|
||||
this.cipherService.cipherViews$(activeUserId).pipe(filter((c) => c !== null)),
|
||||
filter$,
|
||||
this.currentSearchText$,
|
||||
this.restrictedItemTypesService.restricted$,
|
||||
]).pipe(
|
||||
map(([ciphers, restrictedTypes]) =>
|
||||
ciphers.filter(
|
||||
(cipher) => !this.restrictedItemTypesService.isCipherRestricted(cipher, restrictedTypes),
|
||||
),
|
||||
),
|
||||
);
|
||||
|
||||
const ciphers$ = combineLatest([allowedCiphers$, filter$, this.currentSearchText$]).pipe(
|
||||
filter(([ciphers, filter]) => ciphers != undefined && filter != undefined),
|
||||
concatMap(async ([ciphers, filter, searchText, restrictedTypes]) => {
|
||||
concatMap(async ([ciphers, filter, searchText]) => {
|
||||
const failedCiphers =
|
||||
(await firstValueFrom(this.cipherService.failedToDecryptCiphers$(activeUserId))) ?? [];
|
||||
const filterFunction = createFilterFunction(filter, restrictedTypes);
|
||||
const filterFunction = createFilterFunction(filter);
|
||||
// Append any failed to decrypt ciphers to the top of the cipher list
|
||||
const allCiphers = [...failedCiphers, ...ciphers];
|
||||
|
||||
|
||||
@@ -891,6 +891,7 @@ const safeProviders: SafeProvider[] = [
|
||||
KdfConfigService,
|
||||
AccountServiceAbstraction,
|
||||
ApiServiceAbstraction,
|
||||
RestrictedItemTypesService,
|
||||
],
|
||||
}),
|
||||
safeProvider({
|
||||
@@ -906,6 +907,7 @@ const safeProviders: SafeProvider[] = [
|
||||
CollectionService,
|
||||
KdfConfigService,
|
||||
AccountServiceAbstraction,
|
||||
RestrictedItemTypesService,
|
||||
],
|
||||
}),
|
||||
safeProvider({
|
||||
|
||||
@@ -22,10 +22,7 @@ import { getUserId } from "@bitwarden/common/auth/services/account.service";
|
||||
import { CipherService } from "@bitwarden/common/vault/abstractions/cipher.service";
|
||||
import { CipherType } from "@bitwarden/common/vault/enums";
|
||||
import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
|
||||
import {
|
||||
isCipherViewRestricted,
|
||||
RestrictedItemTypesService,
|
||||
} from "@bitwarden/common/vault/services/restricted-item-types.service";
|
||||
import { RestrictedItemTypesService } from "@bitwarden/common/vault/services/restricted-item-types.service";
|
||||
import { CIPHER_MENU_ITEMS } from "@bitwarden/common/vault/types/cipher-menu-items";
|
||||
|
||||
@Directive()
|
||||
@@ -174,7 +171,7 @@ export class VaultItemsComponent implements OnInit, OnDestroy {
|
||||
allCiphers = [..._failedCiphers, ...allCiphers];
|
||||
|
||||
const restrictedTypeFilter = (cipher: CipherView) =>
|
||||
!isCipherViewRestricted(cipher, restricted);
|
||||
!this.restrictedItemTypesService.isCipherRestricted(cipher, restricted);
|
||||
|
||||
return this.searchService.searchCiphers(
|
||||
userId,
|
||||
|
||||
@@ -11,11 +11,15 @@ import { ConfigService } from "@bitwarden/common/platform/abstractions/config/co
|
||||
import { CipherType } from "@bitwarden/common/vault/enums";
|
||||
import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
|
||||
|
||||
import { Cipher } from "../models/domain/cipher";
|
||||
|
||||
export type RestrictedCipherType = {
|
||||
cipherType: CipherType;
|
||||
allowViewOrgIds: string[];
|
||||
};
|
||||
|
||||
type CipherLike = Cipher | CipherView;
|
||||
|
||||
export class RestrictedItemTypesService {
|
||||
/**
|
||||
* Emits an array of RestrictedCipherType objects:
|
||||
@@ -76,26 +80,47 @@ export class RestrictedItemTypesService {
|
||||
private organizationService: OrganizationService,
|
||||
private policyService: PolicyService,
|
||||
) {}
|
||||
}
|
||||
|
||||
/**
|
||||
* Filter that returns whether a cipher is restricted from being viewed by the user
|
||||
* Criteria:
|
||||
* - the cipher's type is restricted by at least one org
|
||||
* UNLESS
|
||||
* - the cipher belongs to an organization and that organization does not restrict that type
|
||||
* OR
|
||||
* - the cipher belongs to the user's personal vault and at least one other organization does not restrict that type
|
||||
*/
|
||||
export function isCipherViewRestricted(
|
||||
cipher: CipherView,
|
||||
restrictedTypes: RestrictedCipherType[],
|
||||
) {
|
||||
return restrictedTypes.some(
|
||||
(restrictedType) =>
|
||||
restrictedType.cipherType === cipher.type &&
|
||||
(cipher.organizationId
|
||||
? !restrictedType.allowViewOrgIds.includes(cipher.organizationId)
|
||||
: restrictedType.allowViewOrgIds.length === 0),
|
||||
);
|
||||
/**
|
||||
* Determines if a cipher is restricted from being viewed by the user.
|
||||
*
|
||||
* @param cipher - The cipher to check
|
||||
* @param restrictedTypes - Array of restricted cipher types (from restricted$ observable)
|
||||
* @returns true if the cipher is restricted, false otherwise
|
||||
*
|
||||
* Restriction logic:
|
||||
* - If cipher type is not restricted by any org → allowed
|
||||
* - If cipher belongs to an org that allows this type → allowed
|
||||
* - If cipher is personal vault and any org allows this type → allowed
|
||||
* - Otherwise → restricted
|
||||
*/
|
||||
isCipherRestricted(cipher: CipherLike, restrictedTypes: RestrictedCipherType[]): boolean {
|
||||
const restriction = restrictedTypes.find((r) => r.cipherType === cipher.type);
|
||||
|
||||
// If cipher type is not restricted by any organization, allow it
|
||||
if (!restriction) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// If cipher belongs to an organization
|
||||
if (cipher.organizationId) {
|
||||
// Check if this organization allows viewing this cipher type
|
||||
return !restriction.allowViewOrgIds.includes(cipher.organizationId);
|
||||
}
|
||||
|
||||
// For personal vault ciphers: restricted only if NO organizations allow this type
|
||||
return restriction.allowViewOrgIds.length === 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* Convenience method that combines getting restrictions and checking a cipher.
|
||||
*
|
||||
* @param cipher - The cipher to check
|
||||
* @returns Observable<boolean> indicating if the cipher is restricted
|
||||
*/
|
||||
isCipherRestricted$(cipher: CipherLike): Observable<boolean> {
|
||||
return this.restricted$.pipe(
|
||||
map((restrictedTypes) => this.isCipherRestricted(cipher, restrictedTypes)),
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -25,6 +25,10 @@ import { AttachmentView } from "@bitwarden/common/vault/models/view/attachment.v
|
||||
import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
|
||||
import { FolderView } from "@bitwarden/common/vault/models/view/folder.view";
|
||||
import { LoginView } from "@bitwarden/common/vault/models/view/login.view";
|
||||
import {
|
||||
RestrictedCipherType,
|
||||
RestrictedItemTypesService,
|
||||
} from "@bitwarden/common/vault/services/restricted-item-types.service";
|
||||
import {
|
||||
DEFAULT_KDF_CONFIG,
|
||||
PBKDF2KdfConfig,
|
||||
@@ -170,6 +174,8 @@ describe("VaultExportService", () => {
|
||||
let kdfConfigService: MockProxy<KdfConfigService>;
|
||||
let accountService: MockProxy<AccountService>;
|
||||
let apiService: MockProxy<ApiService>;
|
||||
let restrictedSubject: BehaviorSubject<RestrictedCipherType[]>;
|
||||
let restrictedItemTypesService: Partial<RestrictedItemTypesService>;
|
||||
let fetchMock: jest.Mock;
|
||||
|
||||
const userId = "" as UserId;
|
||||
@@ -186,6 +192,12 @@ describe("VaultExportService", () => {
|
||||
apiService = mock<ApiService>();
|
||||
|
||||
keyService.userKey$.mockReturnValue(new BehaviorSubject("mockOriginalUserKey" as any));
|
||||
restrictedSubject = new BehaviorSubject<RestrictedCipherType[]>([]);
|
||||
restrictedItemTypesService = {
|
||||
restricted$: new BehaviorSubject<RestrictedCipherType[]>([]),
|
||||
isCipherRestricted: jest.fn().mockReturnValue(false),
|
||||
isCipherRestricted$: jest.fn().mockReturnValue(of(false)),
|
||||
};
|
||||
|
||||
const accountInfo: AccountInfo = {
|
||||
email: "",
|
||||
@@ -223,6 +235,7 @@ describe("VaultExportService", () => {
|
||||
kdfConfigService,
|
||||
accountService,
|
||||
apiService,
|
||||
restrictedItemTypesService as RestrictedItemTypesService,
|
||||
);
|
||||
});
|
||||
|
||||
@@ -262,6 +275,46 @@ describe("VaultExportService", () => {
|
||||
expectEqualCiphers(UserCipherDomains.slice(0, 2), exportedData.data);
|
||||
});
|
||||
|
||||
it("does not unencrypted export restricted user items", async () => {
|
||||
restrictedSubject.next([{ cipherType: CipherType.Card, allowViewOrgIds: [] }]);
|
||||
const cardCipher = generateCipherView(false);
|
||||
cardCipher.type = CipherType.Card;
|
||||
|
||||
(restrictedItemTypesService.isCipherRestricted as jest.Mock)
|
||||
.mockReturnValueOnce(false)
|
||||
.mockReturnValueOnce(true) // cardCipher - restricted
|
||||
.mockReturnValueOnce(false);
|
||||
|
||||
const testCiphers = [UserCipherViews[0], cardCipher, UserCipherViews[1]];
|
||||
cipherService.getAllDecrypted.mockResolvedValue(testCiphers);
|
||||
|
||||
const actual = await exportService.getExport("json");
|
||||
expect(typeof actual.data).toBe("string");
|
||||
const exportedData = actual as ExportedVaultAsString;
|
||||
|
||||
expectEqualCiphers([UserCipherViews[0], UserCipherViews[1]], exportedData.data);
|
||||
});
|
||||
|
||||
it("does not encrypted export restricted user items", async () => {
|
||||
restrictedSubject.next([{ cipherType: CipherType.Card, allowViewOrgIds: [] }]);
|
||||
const cardCipher = generateCipherDomain(false);
|
||||
cardCipher.type = CipherType.Card;
|
||||
|
||||
(restrictedItemTypesService.isCipherRestricted as jest.Mock)
|
||||
.mockReturnValueOnce(false)
|
||||
.mockReturnValueOnce(true) // cardCipher - restricted
|
||||
.mockReturnValueOnce(false);
|
||||
|
||||
const testCiphers = [UserCipherDomains[0], cardCipher, UserCipherDomains[1]];
|
||||
cipherService.getAll.mockResolvedValue(testCiphers);
|
||||
|
||||
const actual = await exportService.getExport("encrypted_json");
|
||||
expect(typeof actual.data).toBe("string");
|
||||
const exportedData = actual as ExportedVaultAsString;
|
||||
|
||||
expectEqualCiphers([UserCipherDomains[0], UserCipherDomains[1]], exportedData.data);
|
||||
});
|
||||
|
||||
describe("zip export", () => {
|
||||
it("contains data.json", async () => {
|
||||
cipherService.getAllDecrypted.mockResolvedValue([]);
|
||||
|
||||
@@ -20,6 +20,7 @@ import { Cipher } from "@bitwarden/common/vault/models/domain/cipher";
|
||||
import { Folder } from "@bitwarden/common/vault/models/domain/folder";
|
||||
import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
|
||||
import { FolderView } from "@bitwarden/common/vault/models/view/folder.view";
|
||||
import { RestrictedItemTypesService } from "@bitwarden/common/vault/services/restricted-item-types.service";
|
||||
import { KdfConfigService, KeyService } from "@bitwarden/key-management";
|
||||
|
||||
import {
|
||||
@@ -50,6 +51,7 @@ export class IndividualVaultExportService
|
||||
kdfConfigService: KdfConfigService,
|
||||
private accountService: AccountService,
|
||||
private apiService: ApiService,
|
||||
private restrictedItemTypesService: RestrictedItemTypesService,
|
||||
) {
|
||||
super(pinService, encryptService, cryptoFunctionService, kdfConfigService);
|
||||
}
|
||||
@@ -169,9 +171,15 @@ export class IndividualVaultExportService
|
||||
}),
|
||||
);
|
||||
|
||||
const restrictions = await firstValueFrom(this.restrictedItemTypesService.restricted$);
|
||||
|
||||
promises.push(
|
||||
this.cipherService.getAllDecrypted(activeUserId).then((ciphers) => {
|
||||
decCiphers = ciphers.filter((f) => f.deletedDate == null);
|
||||
decCiphers = ciphers.filter(
|
||||
(f) =>
|
||||
f.deletedDate == null &&
|
||||
!this.restrictedItemTypesService.isCipherRestricted(f, restrictions),
|
||||
);
|
||||
}),
|
||||
);
|
||||
|
||||
@@ -203,9 +211,15 @@ export class IndividualVaultExportService
|
||||
}),
|
||||
);
|
||||
|
||||
const restrictions = await firstValueFrom(this.restrictedItemTypesService.restricted$);
|
||||
|
||||
promises.push(
|
||||
this.cipherService.getAll(activeUserId).then((c) => {
|
||||
ciphers = c.filter((f) => f.deletedDate == null);
|
||||
ciphers = c.filter(
|
||||
(f) =>
|
||||
f.deletedDate == null &&
|
||||
!this.restrictedItemTypesService.isCipherRestricted(f, restrictions),
|
||||
);
|
||||
}),
|
||||
);
|
||||
|
||||
|
||||
@@ -24,6 +24,7 @@ import { CipherType } from "@bitwarden/common/vault/enums";
|
||||
import { CipherData } from "@bitwarden/common/vault/models/data/cipher.data";
|
||||
import { Cipher } from "@bitwarden/common/vault/models/domain/cipher";
|
||||
import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
|
||||
import { RestrictedItemTypesService } from "@bitwarden/common/vault/services/restricted-item-types.service";
|
||||
import { KdfConfigService, KeyService } from "@bitwarden/key-management";
|
||||
|
||||
import {
|
||||
@@ -52,6 +53,7 @@ export class OrganizationVaultExportService
|
||||
private collectionService: CollectionService,
|
||||
kdfConfigService: KdfConfigService,
|
||||
private accountService: AccountService,
|
||||
private restrictedItemTypesService: RestrictedItemTypesService,
|
||||
) {
|
||||
super(pinService, encryptService, cryptoFunctionService, kdfConfigService);
|
||||
}
|
||||
@@ -133,6 +135,8 @@ export class OrganizationVaultExportService
|
||||
const decCiphers: CipherView[] = [];
|
||||
const promises = [];
|
||||
|
||||
const restrictions = await firstValueFrom(this.restrictedItemTypesService.restricted$);
|
||||
|
||||
promises.push(
|
||||
this.apiService.getOrganizationExport(organizationId).then((exportData) => {
|
||||
const exportPromises: any = [];
|
||||
@@ -156,7 +160,11 @@ export class OrganizationVaultExportService
|
||||
const cipher = new Cipher(new CipherData(c));
|
||||
exportPromises.push(
|
||||
this.cipherService.decrypt(cipher, activeUserId).then((decCipher) => {
|
||||
decCiphers.push(decCipher);
|
||||
if (
|
||||
!this.restrictedItemTypesService.isCipherRestricted(decCipher, restrictions)
|
||||
) {
|
||||
decCiphers.push(decCipher);
|
||||
}
|
||||
}),
|
||||
);
|
||||
});
|
||||
@@ -176,7 +184,7 @@ export class OrganizationVaultExportService
|
||||
|
||||
private async getOrganizationEncryptedExport(organizationId: string): Promise<string> {
|
||||
const collections: Collection[] = [];
|
||||
const ciphers: Cipher[] = [];
|
||||
let ciphers: Cipher[] = [];
|
||||
const promises = [];
|
||||
|
||||
promises.push(
|
||||
@@ -190,15 +198,17 @@ export class OrganizationVaultExportService
|
||||
}),
|
||||
);
|
||||
|
||||
const restrictions = await firstValueFrom(this.restrictedItemTypesService.restricted$);
|
||||
|
||||
promises.push(
|
||||
this.apiService.getCiphersOrganization(organizationId).then((c) => {
|
||||
if (c != null && c.data != null && c.data.length > 0) {
|
||||
c.data
|
||||
ciphers = c.data
|
||||
.filter((item) => item.deletedDate === null)
|
||||
.forEach((item) => {
|
||||
const cipher = new Cipher(new CipherData(item));
|
||||
ciphers.push(cipher);
|
||||
});
|
||||
.map((item) => new Cipher(new CipherData(item)))
|
||||
.filter(
|
||||
(cipher) => !this.restrictedItemTypesService.isCipherRestricted(cipher, restrictions),
|
||||
);
|
||||
}
|
||||
}),
|
||||
);
|
||||
@@ -231,11 +241,14 @@ export class OrganizationVaultExportService
|
||||
);
|
||||
await Promise.all(promises);
|
||||
|
||||
const restrictions = await firstValueFrom(this.restrictedItemTypesService.restricted$);
|
||||
|
||||
decCiphers = allDecCiphers.filter(
|
||||
(f) =>
|
||||
f.deletedDate == null &&
|
||||
f.organizationId == organizationId &&
|
||||
decCollections.some((dC) => f.collectionIds.some((cId) => dC.id === cId)),
|
||||
decCollections.some((dC) => f.collectionIds.some((cId) => dC.id === cId)) &&
|
||||
!this.restrictedItemTypesService.isCipherRestricted(f, restrictions),
|
||||
);
|
||||
|
||||
if (format === "csv") {
|
||||
@@ -267,11 +280,14 @@ export class OrganizationVaultExportService
|
||||
|
||||
await Promise.all(promises);
|
||||
|
||||
const restrictions = await firstValueFrom(this.restrictedItemTypesService.restricted$);
|
||||
|
||||
encCiphers = allCiphers.filter(
|
||||
(f) =>
|
||||
f.deletedDate == null &&
|
||||
f.organizationId == organizationId &&
|
||||
encCollections.some((eC) => f.collectionIds.some((cId) => eC.id === cId)),
|
||||
encCollections.some((eC) => f.collectionIds.some((cId) => eC.id === cId)) &&
|
||||
!this.restrictedItemTypesService.isCipherRestricted(f, restrictions),
|
||||
);
|
||||
|
||||
return this.BuildEncryptedExport(organizationId, encCollections, encCiphers);
|
||||
|
||||
@@ -19,6 +19,10 @@ import { Login } from "@bitwarden/common/vault/models/domain/login";
|
||||
import { CipherView } from "@bitwarden/common/vault/models/view/cipher.view";
|
||||
import { FolderView } from "@bitwarden/common/vault/models/view/folder.view";
|
||||
import { LoginView } from "@bitwarden/common/vault/models/view/login.view";
|
||||
import {
|
||||
RestrictedCipherType,
|
||||
RestrictedItemTypesService,
|
||||
} from "@bitwarden/common/vault/services/restricted-item-types.service";
|
||||
import {
|
||||
DEFAULT_KDF_CONFIG,
|
||||
PBKDF2KdfConfig,
|
||||
@@ -159,6 +163,7 @@ describe("VaultExportService", () => {
|
||||
let accountService: MockProxy<AccountService>;
|
||||
let kdfConfigService: MockProxy<KdfConfigService>;
|
||||
let apiService: MockProxy<ApiService>;
|
||||
let restrictedItemTypesService: Partial<RestrictedItemTypesService>;
|
||||
|
||||
beforeEach(() => {
|
||||
cryptoFunctionService = mock<CryptoFunctionService>();
|
||||
@@ -186,6 +191,12 @@ describe("VaultExportService", () => {
|
||||
const activeAccount = { id: userId, ...accountInfo };
|
||||
accountService.activeAccount$ = new BehaviorSubject(activeAccount);
|
||||
|
||||
restrictedItemTypesService = {
|
||||
restricted$: new BehaviorSubject<RestrictedCipherType[]>([]),
|
||||
isCipherRestricted: jest.fn().mockReturnValue(false),
|
||||
isCipherRestricted$: jest.fn().mockReturnValue(of(false)),
|
||||
};
|
||||
|
||||
exportService = new IndividualVaultExportService(
|
||||
folderService,
|
||||
cipherService,
|
||||
@@ -196,6 +207,7 @@ describe("VaultExportService", () => {
|
||||
kdfConfigService,
|
||||
accountService,
|
||||
apiService,
|
||||
restrictedItemTypesService as RestrictedItemTypesService,
|
||||
);
|
||||
});
|
||||
|
||||
|
||||
Reference in New Issue
Block a user