Add RBAC to Bitwarden Portal (#2853)

* Auth/pm-48 (#2680) * PM-48 - add user's role as a claim and establish access control service * PM-48 - remove function unrelated to the role claim * PM-48 - fix whitespace issues * PM-48 - move registration of CustomClaimsPrincipalFactory, replace role claim type string with constant, streamline code that retrieves the user's role * Auth/pm-47 (#2699) * PM-48 - add user's role as a claim and establish access control service * PM-48 - remove function unrelated to the role claim * PM-48 - fix whitespace issues * PM-47 - add list of permission enums, role:permissions mapping, and function that determines if the logged in user has the given permission * PM-47 - remove unneeded service registration, set role to lowercase * PM-47 - fix code style issues * PM-46 - create permission filter attribute (#2753) * Auth/pm-54 add rbac for users (#2758) * PM-54 - add permission gates to User elements * PM-54 - fix formatting * PM-54 - remove unused function * PM-54 - fix variable reference, add permission to billing role * PM-54 - handle Upgrade Premium button functionality and fix spelling * PM-54 - change permission name to be more accurate * PM-49 - update role retrieval (#2779) * Auth/[PM-50] add rbac for logs (#2782) * PM-50 - add rbac for logs * PM-50 - remove unnecessary action filter * PM-51 - add RBAC for tools (#2799) * Auth/[pm-52] add rbac providers (#2818) * PM-52 add rbac for providers * PM-52 - update redirect action * PM-52 - add back edit functionality and permission * PM-52 - reverse changes around removing edit functionality * PM-52 - moved permission check to variable assignement * PM-53 - add rbac for organizations (#2798) * PM-52 - add missed permission to billing role (#2836) * Fixed merge conflicts. * [PM-1846] Updates to add RBAC back after merge conflicts (#2870) * Updates to add RBAC to changes from reseller. * Added back checks for delete and initiating a trial. * Removed extraneous Razor tag. --------- Co-authored-by: dgoodman-bw <109169446+dgoodman-bw@users.noreply.github.com> Co-authored-by: Danielle Goodman <dgoodman@bitwarden.com> Co-authored-by: Jacob Fink <jfink@bitwarden.com>
2025-12-29 06:33:43 +00:00 · 2023-05-04 15:18:49 -04:00
parent 2ac513e15a
commit 0bd0910c39
24 changed files with 1101 additions and 410 deletions
--- a/src/Admin/Services/AccessControlService.cs
+++ b/src/Admin/Services/AccessControlService.cs
@@ -0,0 +1,66 @@
+using System.Security.Claims;
+using Bit.Admin.Enums;
+using Bit.Admin.Utilities;
+using Bit.Core.Settings;
+
+namespace Bit.Admin.Services;
+
+public class AccessControlService : IAccessControlService
+{
+    private readonly IHttpContextAccessor _httpContextAccessor;
+    private readonly IConfiguration _configuration;
+    private readonly IGlobalSettings _globalSettings;
+
+    public AccessControlService(
+        IHttpContextAccessor httpContextAccessor,
+        IConfiguration configuration,
+        IGlobalSettings globalSettings)
+    {
+        _httpContextAccessor = httpContextAccessor;
+        _configuration = configuration;
+        _globalSettings = globalSettings;
+    }
+
+    public bool UserHasPermission(Permission permission)
+    {
+        if (_globalSettings.SelfHosted)
+        {
+            return true;
+        }
+
+        var userRole = GetUserRoleFromClaim();
+        if (string.IsNullOrEmpty(userRole) || !RolePermissionMapping.RolePermissions.ContainsKey(userRole))
+        {
+            return false;
+        }
+
+        return RolePermissionMapping.RolePermissions[userRole].Contains(permission);
+    }
+
+    public string GetUserRole(string userEmail)
+    {
+        var roles = _configuration.GetSection("adminSettings:role").GetChildren();
+
+        if (roles == null || !roles.Any())
+        {
+            return null;
+        }
+
+        userEmail = userEmail.ToLowerInvariant();
+
+        var userRole = roles.FirstOrDefault(s => (s.Value != null ? s.Value.ToLowerInvariant().Split(',').Contains(userEmail) : false));
+
+        if (userRole == null)
+        {
+            return null;
+        }
+
+        return userRole.Key.ToLowerInvariant();
+    }
+
+    private string GetUserRoleFromClaim()
+    {
+        return _httpContextAccessor.HttpContext?.User?.Claims?
+                 .FirstOrDefault(c => c.Type == ClaimTypes.Role)?.Value;
+    }
+}
--- a/src/Admin/Services/IAccessControlService.cs
+++ b/src/Admin/Services/IAccessControlService.cs
@@ -0,0 +1,9 @@
+using Bit.Admin.Enums;
+
+namespace Bit.Admin.Services;
+
+public interface IAccessControlService
+{
+    public bool UserHasPermission(Permission permission);
+    public string GetUserRole(string userEmail);
+}