Add RBAC to Bitwarden Portal (#2853)

* Auth/pm-48 (#2680) * PM-48 - add user's role as a claim and establish access control service * PM-48 - remove function unrelated to the role claim * PM-48 - fix whitespace issues * PM-48 - move registration of CustomClaimsPrincipalFactory, replace role claim type string with constant, streamline code that retrieves the user's role * Auth/pm-47 (#2699) * PM-48 - add user's role as a claim and establish access control service * PM-48 - remove function unrelated to the role claim * PM-48 - fix whitespace issues * PM-47 - add list of permission enums, role:permissions mapping, and function that determines if the logged in user has the given permission * PM-47 - remove unneeded service registration, set role to lowercase * PM-47 - fix code style issues * PM-46 - create permission filter attribute (#2753) * Auth/pm-54 add rbac for users (#2758) * PM-54 - add permission gates to User elements * PM-54 - fix formatting * PM-54 - remove unused function * PM-54 - fix variable reference, add permission to billing role * PM-54 - handle Upgrade Premium button functionality and fix spelling * PM-54 - change permission name to be more accurate * PM-49 - update role retrieval (#2779) * Auth/[PM-50] add rbac for logs (#2782) * PM-50 - add rbac for logs * PM-50 - remove unnecessary action filter * PM-51 - add RBAC for tools (#2799) * Auth/[pm-52] add rbac providers (#2818) * PM-52 add rbac for providers * PM-52 - update redirect action * PM-52 - add back edit functionality and permission * PM-52 - reverse changes around removing edit functionality * PM-52 - moved permission check to variable assignement * PM-53 - add rbac for organizations (#2798) * PM-52 - add missed permission to billing role (#2836) * Fixed merge conflicts. * [PM-1846] Updates to add RBAC back after merge conflicts (#2870) * Updates to add RBAC to changes from reseller. * Added back checks for delete and initiating a trial. * Removed extraneous Razor tag. --------- Co-authored-by: dgoodman-bw <109169446+dgoodman-bw@users.noreply.github.com> Co-authored-by: Danielle Goodman <dgoodman@bitwarden.com> Co-authored-by: Jacob Fink <jfink@bitwarden.com>
2025-12-25 04:33:26 +00:00 · 2023-05-04 15:18:49 -04:00
parent 2ac513e15a
commit 0bd0910c39
24 changed files with 1101 additions and 410 deletions
--- a/src/Admin/IdentityServer/CustomClaimsPrincipalFactory.cs
+++ b/src/Admin/IdentityServer/CustomClaimsPrincipalFactory.cs
@@ -0,0 +1,42 @@
+using System.Security.Claims;
+using Bit.Admin.Services;
+using Bit.Core.Settings;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Options;
+
+public class CustomClaimsPrincipalFactory : UserClaimsPrincipalFactory<IdentityUser>
+{
+    private IAccessControlService _accessControlService;
+    private readonly IGlobalSettings _globalSettings;
+
+    public CustomClaimsPrincipalFactory(
+        UserManager<IdentityUser> userManager,
+        IOptions<IdentityOptions> optionsAccessor,
+        IAccessControlService accessControlService,
+        IGlobalSettings globalSettings)
+            : base(userManager, optionsAccessor)
+    {
+        _accessControlService = accessControlService;
+        _globalSettings = globalSettings;
+    }
+
+    public async override Task<ClaimsPrincipal> CreateAsync(IdentityUser user)
+    {
+        var principal = await base.CreateAsync(user);
+
+        if (!_globalSettings.SelfHosted &&
+            !string.IsNullOrEmpty(user.Email) &&
+            principal.Identity != null)
+        {
+            var role = _accessControlService.GetUserRole(user.Email);
+
+            if (!string.IsNullOrEmpty(role))
+            {
+                ((ClaimsIdentity)principal.Identity).AddClaims(
+                new[] { new Claim(ClaimTypes.Role, role) });
+            }
+        }
+
+        return principal;
+    }
+}
--- a/src/Admin/IdentityServer/ServiceCollectionExtensions.cs
+++ b/src/Admin/IdentityServer/ServiceCollectionExtensions.cs
@@ -21,7 +21,8 @@ public static class ServiceCollectionExtensions
        var passwordlessIdentityBuilder = services.AddIdentity<IdentityUser, Role>()
            .AddUserStore<TUserStore>()
            .AddRoleStore<RoleStore>()
-            .AddDefaultTokenProviders();
+            .AddDefaultTokenProviders()
+            .AddClaimsPrincipalFactory<CustomClaimsPrincipalFactory>();

        var regularIdentityBuilder = services.AddIdentityCore<User>()
            .AddUserStore<UserStore>();