[SM-919] Add project people access policy management endpoints (#3285)

* Expose access policy discriminators * Add people policy model and auth handler * Add unit tests for authz handler * Add people policies support in repo * Add new endpoints and request/response models * Update tests
2025-12-30 07:03:42 +00:00 · 2023-11-08 11:42:40 -05:00
parent 35500b197d
commit 0ca65e3f9d
17 changed files with 1211 additions and 73 deletions
--- a/src/Api/SecretsManager/Models/Request/PeopleAccessPoliciesRequestModel.cs
+++ b/src/Api/SecretsManager/Models/Request/PeopleAccessPoliciesRequestModel.cs
@@ -0,0 +1,64 @@
+using Bit.Core.Exceptions;
+using Bit.Core.SecretsManager.Entities;
+using Bit.Core.SecretsManager.Models.Data;
+
+namespace Bit.Api.SecretsManager.Models.Request;
+
+public class PeopleAccessPoliciesRequestModel
+{
+    public IEnumerable<AccessPolicyRequest> UserAccessPolicyRequests { get; set; }
+
+    public IEnumerable<AccessPolicyRequest> GroupAccessPolicyRequests { get; set; }
+
+    private static void CheckForDistinctAccessPolicies(IReadOnlyCollection<BaseAccessPolicy> accessPolicies)
+    {
+        var distinctAccessPolicies = accessPolicies.DistinctBy(baseAccessPolicy =>
+        {
+            return baseAccessPolicy switch
+            {
+                UserProjectAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.OrganizationUserId, ap.GrantedProjectId),
+                GroupProjectAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.GroupId, ap.GrantedProjectId),
+                ServiceAccountProjectAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.ServiceAccountId,
+                    ap.GrantedProjectId),
+                UserServiceAccountAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.OrganizationUserId,
+                    ap.GrantedServiceAccountId),
+                GroupServiceAccountAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.GroupId, ap.GrantedServiceAccountId),
+                _ => throw new ArgumentException("Unsupported access policy type provided.", nameof(baseAccessPolicy))
+            };
+        }).ToList();
+
+        if (accessPolicies.Count != distinctAccessPolicies.Count)
+        {
+            throw new BadRequestException("Resources must be unique");
+        }
+    }
+
+    public ProjectPeopleAccessPolicies ToProjectPeopleAccessPolicies(Guid grantedProjectId, Guid organizationId)
+    {
+        var userAccessPolicies = UserAccessPolicyRequests?
+            .Select(x => x.ToUserProjectAccessPolicy(grantedProjectId, organizationId)).ToList();
+
+        var groupAccessPolicies = GroupAccessPolicyRequests?
+            .Select(x => x.ToGroupProjectAccessPolicy(grantedProjectId, organizationId)).ToList();
+        var policies = new List<BaseAccessPolicy>();
+        if (userAccessPolicies != null)
+        {
+            policies.AddRange(userAccessPolicies);
+        }
+
+        if (groupAccessPolicies != null)
+        {
+            policies.AddRange(groupAccessPolicies);
+        }
+
+        CheckForDistinctAccessPolicies(policies);
+
+        return new ProjectPeopleAccessPolicies
+        {
+            Id = grantedProjectId,
+            OrganizationId = organizationId,
+            UserAccessPolicies = userAccessPolicies,
+            GroupAccessPolicies = groupAccessPolicies
+        };
+    }
+}