bitwarden/server
1
0
Fork 0
mirror of https://github.com/bitwarden/server synced 2025-12-16 08:13:33 +00:00
Code Issues Releases Wiki Activity

[SM-707] Refactor authorization for Access Policy Commands (#2905)

Browse Source 
* Extract authorization from access policy commands

* Use auto mapper to ignore unwanted properties

---------
This commit is contained in:
Thomas Avery
2023-07-13 11:46:01 -05:00
committed by GitHub
parent d6a45d4802
commit 1d9aeb37aa
19 changed files with 1732 additions and 1138 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
src/Api/SecretsManager/Models/Request/AccessPoliciesCreateRequest.cs
View File

@@ -7,13 +7,36 @@ namespace Bit.Api.SecretsManager.Models.Request;
public class AccessPoliciesCreateRequest
{
private static void CheckForDistinctAccessPolicies(IReadOnlyCollection<BaseAccessPolicy> accessPolicies)
{
var distinctAccessPolicies = accessPolicies.DistinctBy(baseAccessPolicy =>
{
return baseAccessPolicy switch
{
UserProjectAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.OrganizationUserId, ap.GrantedProjectId),
GroupProjectAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.GroupId, ap.GrantedProjectId),
ServiceAccountProjectAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.ServiceAccountId,
ap.GrantedProjectId),
UserServiceAccountAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.OrganizationUserId,
ap.GrantedServiceAccountId),
GroupServiceAccountAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.GroupId, ap.GrantedServiceAccountId),
_ => throw new ArgumentException("Unsupported access policy type provided.", nameof(baseAccessPolicy)),
};
}).ToList();
if (accessPolicies.Count != distinctAccessPolicies.Count)
{
throw new BadRequestException("Resources must be unique");
}
}
public IEnumerable<AccessPolicyRequest>? UserAccessPolicyRequests { get; set; }
public IEnumerable<AccessPolicyRequest>? GroupAccessPolicyRequests { get; set; }
public IEnumerable<AccessPolicyRequest>? ServiceAccountAccessPolicyRequests { get; set; }
public List<BaseAccessPolicy> ToBaseAccessPoliciesForProject(Guid grantedProjectId)
public List<BaseAccessPolicy> ToBaseAccessPoliciesForProject(Guid grantedProjectId, Guid organizationId)
{
if (UserAccessPolicyRequests == null && GroupAccessPolicyRequests == null && ServiceAccountAccessPolicyRequests == null)
{
@@ -21,13 +44,13 @@ public class AccessPoliciesCreateRequest
}
var userAccessPolicies = UserAccessPolicyRequests?
.Select(x => x.ToUserProjectAccessPolicy(grantedProjectId)).ToList();
.Select(x => x.ToUserProjectAccessPolicy(grantedProjectId, organizationId)).ToList();
var groupAccessPolicies = GroupAccessPolicyRequests?
.Select(x => x.ToGroupProjectAccessPolicy(grantedProjectId)).ToList();
.Select(x => x.ToGroupProjectAccessPolicy(grantedProjectId, organizationId)).ToList();
var serviceAccountAccessPolicies = ServiceAccountAccessPolicyRequests?
.Select(x => x.ToServiceAccountProjectAccessPolicy(grantedProjectId)).ToList();
.Select(x => x.ToServiceAccountProjectAccessPolicy(grantedProjectId, organizationId)).ToList();
var policies = new List<BaseAccessPolicy>();
if (userAccessPolicies != null)
@@ -44,10 +67,12 @@ public class AccessPoliciesCreateRequest
{
policies.AddRange(serviceAccountAccessPolicies);
}
CheckForDistinctAccessPolicies(policies);
return policies;
}
public List<BaseAccessPolicy> ToBaseAccessPoliciesForServiceAccount(Guid grantedServiceAccountId)
public List<BaseAccessPolicy> ToBaseAccessPoliciesForServiceAccount(Guid grantedServiceAccountId, Guid organizationId)
{
if (UserAccessPolicyRequests == null && GroupAccessPolicyRequests == null)
{
@@ -55,10 +80,10 @@ public class AccessPoliciesCreateRequest
}
var userAccessPolicies = UserAccessPolicyRequests?
.Select(x => x.ToUserServiceAccountAccessPolicy(grantedServiceAccountId)).ToList();
.Select(x => x.ToUserServiceAccountAccessPolicy(grantedServiceAccountId, organizationId)).ToList();
var groupAccessPolicies = GroupAccessPolicyRequests?
.Select(x => x.ToGroupServiceAccountAccessPolicy(grantedServiceAccountId)).ToList();
.Select(x => x.ToGroupServiceAccountAccessPolicy(grantedServiceAccountId, organizationId)).ToList();
var policies = new List<BaseAccessPolicy>();
if (userAccessPolicies != null)
@@ -70,6 +95,8 @@ public class AccessPoliciesCreateRequest
{
policies.AddRange(groupAccessPolicies);
}
CheckForDistinctAccessPolicies(policies);
return policies;
}
@@ -105,47 +132,52 @@ public class AccessPolicyRequest
[Required]
public bool Write { get; set; }
public UserProjectAccessPolicy ToUserProjectAccessPolicy(Guid projectId) =>
public UserProjectAccessPolicy ToUserProjectAccessPolicy(Guid projectId, Guid organizationId) =>
new()
{
OrganizationUserId = GranteeId,
GrantedProjectId = projectId,
GrantedProject = new Project { OrganizationId = organizationId, Id = projectId },
Read = Read,
Write = Write
};
public GroupProjectAccessPolicy ToGroupProjectAccessPolicy(Guid projectId) =>
public GroupProjectAccessPolicy ToGroupProjectAccessPolicy(Guid projectId, Guid organizationId) =>
new()
{
GroupId = GranteeId,
GrantedProjectId = projectId,
GrantedProject = new Project { OrganizationId = organizationId, Id = projectId },
Read = Read,
Write = Write
};
public ServiceAccountProjectAccessPolicy ToServiceAccountProjectAccessPolicy(Guid projectId) =>
public ServiceAccountProjectAccessPolicy ToServiceAccountProjectAccessPolicy(Guid projectId, Guid organizationId) =>
new()
{
ServiceAccountId = GranteeId,
GrantedProjectId = projectId,
GrantedProject = new Project { OrganizationId = organizationId, Id = projectId },
Read = Read,
Write = Write
};
public UserServiceAccountAccessPolicy ToUserServiceAccountAccessPolicy(Guid id) =>
public UserServiceAccountAccessPolicy ToUserServiceAccountAccessPolicy(Guid id, Guid organizationId) =>
new()
{
OrganizationUserId = GranteeId,
GrantedServiceAccountId = id,
GrantedServiceAccount = new ServiceAccount() { OrganizationId = organizationId, Id = id },
Read = Read,
Write = Write
};
public GroupServiceAccountAccessPolicy ToGroupServiceAccountAccessPolicy(Guid id) =>
public GroupServiceAccountAccessPolicy ToGroupServiceAccountAccessPolicy(Guid id, Guid organizationId) =>
new()
{
GroupId = GranteeId,
GrantedServiceAccountId = id,
GrantedServiceAccount = new ServiceAccount() { OrganizationId = organizationId, Id = id },
Read = Read,
Write = Write
};

6
src/Api/SecretsManager/Models/Request/GrantedAccessPolicyRequest.cs
View File

@@ -1,5 +1,6 @@
using System.ComponentModel.DataAnnotations;
using Bit.Core.SecretsManager.Entities;
using Bit.Infrastructure.EntityFramework.SecretsManager.Models;
using ServiceAccountProjectAccessPolicy = Bit.Core.SecretsManager.Entities.ServiceAccountProjectAccessPolicy;
namespace Bit.Api.SecretsManager.Models.Request;
@@ -14,10 +15,11 @@ public class GrantedAccessPolicyRequest
[Required]
public bool Write { get; set; }
public ServiceAccountProjectAccessPolicy ToServiceAccountProjectAccessPolicy(Guid serviceAccountId) =>
public ServiceAccountProjectAccessPolicy ToServiceAccountProjectAccessPolicy(Guid serviceAccountId, Guid organizationId) =>
new()
{
ServiceAccountId = serviceAccountId,
ServiceAccount = new ServiceAccount() { Id = serviceAccountId, OrganizationId = organizationId },
GrantedProjectId = GrantedId,
Read = Read,
Write = Write,