[SM-654] Individual secret permissions (#4160)

* Add new data and request models

* Update authz handlers

* Update secret commands to handle access policy updates

* Update secret repository to handle access policy updates

* Update secrets controller to handle access policy updates

* Add tests

* Add integration tests for secret create

src/Api/SecretsManager/Models/Request/AccessPolicyRequest.cs

@@ -25,6 +25,16 @@ public class AccessPolicyRequest
             Write = Write
         };
 
+    public UserSecretAccessPolicy ToUserSecretAccessPolicy(Guid secretId, Guid organizationId) =>
+        new()
+        {
+            OrganizationUserId = GranteeId,
+            GrantedSecretId = secretId,
+            GrantedSecret = new Secret { OrganizationId = organizationId, Id = secretId },
+            Read = Read,
+            Write = Write
+        };
+
     public GroupProjectAccessPolicy ToGroupProjectAccessPolicy(Guid projectId, Guid organizationId) =>
         new()
         {
@@ -35,6 +45,16 @@ public class AccessPolicyRequest
             Write = Write
         };
 
+    public GroupSecretAccessPolicy ToGroupSecretAccessPolicy(Guid secretId, Guid organizationId) =>
+        new()
+        {
+            GroupId = GranteeId,
+            GrantedSecretId = secretId,
+            GrantedSecret = new Secret { OrganizationId = organizationId, Id = secretId },
+            Read = Read,
+            Write = Write
+        };
+
     public ServiceAccountProjectAccessPolicy ToServiceAccountProjectAccessPolicy(Guid projectId, Guid organizationId) =>
         new()
         {
@@ -45,6 +65,16 @@ public class AccessPolicyRequest
             Write = Write
         };
 
+    public ServiceAccountSecretAccessPolicy ToServiceAccountSecretAccessPolicy(Guid secretId, Guid organizationId) =>
+        new()
+        {
+            ServiceAccountId = GranteeId,
+            GrantedSecretId = secretId,
+            GrantedSecret = new Secret { OrganizationId = organizationId, Id = secretId },
+            Read = Read,
+            Write = Write
+        };
+
     public UserServiceAccountAccessPolicy ToUserServiceAccountAccessPolicy(Guid id, Guid organizationId) =>
         new()
         {

src/Api/SecretsManager/Models/Request/SecretAccessPoliciesRequestsModel.cs

@@ -0,0 +1,42 @@
+#nullable enable
+using Bit.Api.SecretsManager.Utilities;
+using Bit.Core.SecretsManager.Entities;
+using Bit.Core.SecretsManager.Models.Data;
+
+namespace Bit.Api.SecretsManager.Models.Request;
+
+public class SecretAccessPoliciesRequestsModel
+{
+    public required IEnumerable<AccessPolicyRequest> UserAccessPolicyRequests { get; set; }
+
+    public required IEnumerable<AccessPolicyRequest> GroupAccessPolicyRequests { get; set; }
+
+    public required IEnumerable<AccessPolicyRequest> ServiceAccountAccessPolicyRequests { get; set; }
+
+    public SecretAccessPolicies ToSecretAccessPolicies(Guid secretId, Guid organizationId)
+    {
+        var userAccessPolicies = UserAccessPolicyRequests
+            .Select(x => x.ToUserSecretAccessPolicy(secretId, organizationId)).ToList();
+        var groupAccessPolicies = GroupAccessPolicyRequests
+            .Select(x => x.ToGroupSecretAccessPolicy(secretId, organizationId)).ToList();
+        var serviceAccountAccessPolicies = ServiceAccountAccessPolicyRequests
+            .Select(x => x.ToServiceAccountSecretAccessPolicy(secretId, organizationId)).ToList();
+
+        var policies = new List<BaseAccessPolicy>();
+        policies.AddRange(userAccessPolicies);
+        policies.AddRange(groupAccessPolicies);
+        policies.AddRange(serviceAccountAccessPolicies);
+
+        AccessPolicyHelpers.CheckForDistinctAccessPolicies(policies);
+        AccessPolicyHelpers.CheckAccessPoliciesHaveReadPermission(policies);
+
+        return new SecretAccessPolicies
+        {
+            SecretId = secretId,
+            OrganizationId = organizationId,
+            UserAccessPolicies = userAccessPolicies,
+            GroupAccessPolicies = groupAccessPolicies,
+            ServiceAccountAccessPolicies = serviceAccountAccessPolicies
+        };
+    }
+}

src/Api/SecretsManager/Models/Request/SecretCreateRequestModel.cs

@@ -23,6 +23,8 @@ public class SecretCreateRequestModel : IValidatableObject
 
     public Guid[] ProjectIds { get; set; }
 
+    public SecretAccessPoliciesRequestsModel AccessPoliciesRequests { get; set; }
+
     public Secret ToSecret(Guid organizationId)
     {
         return new Secret()

src/Api/SecretsManager/Models/Request/SecretUpdateRequestModel.cs

@@ -23,18 +23,27 @@ public class SecretUpdateRequestModel : IValidatableObject
 
     public Guid[] ProjectIds { get; set; }
 
-    public Secret ToSecret(Guid id, Guid organizationId)
+    public SecretAccessPoliciesRequestsModel AccessPoliciesRequests { get; set; }
+
+    public Secret ToSecret(Secret secret)
     {
-        return new Secret()
+        secret.Key = Key;
+        secret.Value = Value;
+        secret.Note = Note;
+        secret.RevisionDate = DateTime.UtcNow;
+
+        if (secret.Projects?.FirstOrDefault()?.Id == ProjectIds?.FirstOrDefault())
         {
-            Id = id,
-            OrganizationId = organizationId,
-            Key = Key,
-            Value = Value,
-            Note = Note,
-            DeletedDate = null,
-            Projects = ProjectIds != null && ProjectIds.Any() ? ProjectIds.Select(x => new Project() { Id = x }).ToList() : null,
-        };
+            secret.Projects = null;
+        }
+        else
+        {
+            secret.Projects = ProjectIds != null && ProjectIds.Length != 0
+                ? ProjectIds.Select(x => new Project() { Id = x }).ToList()
+                : [];
+        }
+
+        return secret;
     }
 
     public IEnumerable<ValidationResult> Validate(ValidationContext validationContext)