[SM-390] Project Access Policies (#2507)

The purpose of this PR is to create server endpoints for creating, reading, updating, and deleting access policies for projects.

src/Api/Controllers/AccessPoliciesController.cs

@@ -0,0 +1,69 @@
+using Bit.Api.SecretManagerFeatures.Models.Request;
+using Bit.Api.SecretManagerFeatures.Models.Response;
+using Bit.Api.Utilities;
+using Bit.Core.Entities;
+using Bit.Core.Repositories;
+using Bit.Core.SecretManagerFeatures.AccessPolicies.Interfaces;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Bit.Api.Controllers;
+
+[SecretsManager]
+[Route("access-policies")]
+public class AccessPoliciesController : Controller
+{
+    private readonly IAccessPolicyRepository _accessPolicyRepository;
+    private readonly ICreateAccessPoliciesCommand _createAccessPoliciesCommand;
+    private readonly IDeleteAccessPolicyCommand _deleteAccessPolicyCommand;
+    private readonly IUpdateAccessPolicyCommand _updateAccessPolicyCommand;
+
+    public AccessPoliciesController(
+        IAccessPolicyRepository accessPolicyRepository,
+        ICreateAccessPoliciesCommand createAccessPoliciesCommand,
+        IDeleteAccessPolicyCommand deleteAccessPolicyCommand,
+        IUpdateAccessPolicyCommand updateAccessPolicyCommand)
+    {
+        _accessPolicyRepository = accessPolicyRepository;
+        _createAccessPoliciesCommand = createAccessPoliciesCommand;
+        _deleteAccessPolicyCommand = deleteAccessPolicyCommand;
+        _updateAccessPolicyCommand = updateAccessPolicyCommand;
+    }
+
+    [HttpPost("/projects/{id}/access-policies")]
+    public async Task<ProjectAccessPoliciesResponseModel> CreateProjectAccessPoliciesAsync([FromRoute] Guid id,
+        [FromBody] AccessPoliciesCreateRequest request)
+    {
+        var policies = request.ToBaseAccessPoliciesForProject(id);
+        var results = await _createAccessPoliciesCommand.CreateAsync(policies);
+        return new ProjectAccessPoliciesResponseModel(results);
+    }
+
+    [HttpGet("/projects/{id}/access-policies")]
+    public async Task<ProjectAccessPoliciesResponseModel> GetProjectAccessPoliciesAsync([FromRoute] Guid id)
+    {
+        var results = await _accessPolicyRepository.GetManyByProjectId(id);
+        return new ProjectAccessPoliciesResponseModel(results);
+    }
+
+    [HttpPut("{id}")]
+    public async Task<BaseAccessPolicyResponseModel> UpdateAccessPolicyAsync([FromRoute] Guid id,
+        [FromBody] AccessPolicyUpdateRequest request)
+    {
+        var result = await _updateAccessPolicyCommand.UpdateAsync(id, request.Read, request.Write);
+
+        return result switch
+        {
+            UserProjectAccessPolicy accessPolicy => new UserProjectAccessPolicyResponseModel(accessPolicy),
+            GroupProjectAccessPolicy accessPolicy => new GroupProjectAccessPolicyResponseModel(accessPolicy),
+            ServiceAccountProjectAccessPolicy accessPolicy => new ServiceAccountProjectAccessPolicyResponseModel(
+                accessPolicy),
+            _ => throw new ArgumentException("Unsupported access policy type provided.")
+        };
+    }
+
+    [HttpDelete("{id}")]
+    public async Task DeleteAccessPolicyAsync([FromRoute] Guid id)
+    {
+        await _deleteAccessPolicyCommand.DeleteAsync(id);
+    }
+}

src/Api/SecretManagerFeatures/Models/Request/AccessPoliciesCreateRequest.cs

@@ -0,0 +1,77 @@
+#nullable enable
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+
+namespace Bit.Api.SecretManagerFeatures.Models.Request;
+
+public class AccessPoliciesCreateRequest
+{
+    public IEnumerable<AccessPolicyRequest>? UserAccessPolicyRequests { get; set; }
+
+    public IEnumerable<AccessPolicyRequest>? GroupAccessPolicyRequests { get; set; }
+
+    public IEnumerable<AccessPolicyRequest>? ServiceAccountAccessPolicyRequests { get; set; }
+
+    public List<BaseAccessPolicy> ToBaseAccessPoliciesForProject(Guid projectId)
+    {
+        if (UserAccessPolicyRequests == null && GroupAccessPolicyRequests == null && ServiceAccountAccessPolicyRequests == null)
+        {
+            throw new BadRequestException("No creation requests provided.");
+        }
+
+        var userAccessPolicies = UserAccessPolicyRequests?
+            .Select(x => x.ToUserProjectAccessPolicy(projectId)).ToList();
+
+        var groupAccessPolicies = GroupAccessPolicyRequests?
+            .Select(x => x.ToGroupProjectAccessPolicy(projectId)).ToList();
+
+        var serviceAccountAccessPolicies = ServiceAccountAccessPolicyRequests?
+            .Select(x => x.ToServiceAccountProjectAccessPolicy(projectId)).ToList();
+
+        var policies = new List<BaseAccessPolicy>();
+        if (userAccessPolicies != null) { policies.AddRange(userAccessPolicies); }
+        if (groupAccessPolicies != null) { policies.AddRange(groupAccessPolicies); }
+        if (serviceAccountAccessPolicies != null) { policies.AddRange(serviceAccountAccessPolicies); }
+        return policies;
+    }
+}
+
+public class AccessPolicyRequest
+{
+    [Required]
+    public Guid GranteeId { get; set; }
+
+    [Required]
+    public bool Read { get; set; }
+
+    [Required]
+    public bool Write { get; set; }
+
+    public UserProjectAccessPolicy ToUserProjectAccessPolicy(Guid projectId) =>
+        new()
+        {
+            OrganizationUserId = GranteeId,
+            GrantedProjectId = projectId,
+            Read = Read,
+            Write = Write
+        };
+
+    public GroupProjectAccessPolicy ToGroupProjectAccessPolicy(Guid projectId) =>
+        new()
+        {
+            GroupId = GranteeId,
+            GrantedProjectId = projectId,
+            Read = Read,
+            Write = Write
+        };
+
+    public ServiceAccountProjectAccessPolicy ToServiceAccountProjectAccessPolicy(Guid projectId) =>
+        new()
+        {
+            ServiceAccountId = GranteeId,
+            GrantedProjectId = projectId,
+            Read = Read,
+            Write = Write
+        };
+}

src/Api/SecretManagerFeatures/Models/Request/AccessPolicyUpdateRequest.cs

@@ -0,0 +1,12 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Bit.Api.SecretManagerFeatures.Models.Request;
+
+public class AccessPolicyUpdateRequest
+{
+    [Required]
+    public bool Read { get; set; }
+
+    [Required]
+    public bool Write { get; set; }
+}

src/Api/SecretManagerFeatures/Models/Response/AccessPolicyResponseModel.cs

@@ -0,0 +1,128 @@
+#nullable enable
+using Bit.Core.Entities;
+using Bit.Core.Models.Api;
+
+namespace Bit.Api.SecretManagerFeatures.Models.Response;
+
+public abstract class BaseAccessPolicyResponseModel : ResponseModel
+{
+    protected BaseAccessPolicyResponseModel(BaseAccessPolicy baseAccessPolicy, string obj) : base(obj)
+    {
+        Id = baseAccessPolicy.Id;
+        Read = baseAccessPolicy.Read;
+        Write = baseAccessPolicy.Write;
+        CreationDate = baseAccessPolicy.CreationDate;
+        RevisionDate = baseAccessPolicy.RevisionDate;
+    }
+
+    public Guid Id { get; set; }
+    public bool Read { get; set; }
+    public bool Write { get; set; }
+    public DateTime CreationDate { get; set; }
+    public DateTime RevisionDate { get; set; }
+}
+
+public class UserProjectAccessPolicyResponseModel : BaseAccessPolicyResponseModel
+{
+    private const string _objectName = "userProjectAccessPolicy";
+
+    public UserProjectAccessPolicyResponseModel(UserProjectAccessPolicy accessPolicy) : base(accessPolicy, _objectName)
+    {
+        OrganizationUserId = accessPolicy.OrganizationUserId;
+        GrantedProjectId = accessPolicy.GrantedProjectId;
+        OrganizationUserName = accessPolicy.User?.Name;
+    }
+
+    public UserProjectAccessPolicyResponseModel() : base(new UserProjectAccessPolicy(), _objectName)
+    {
+    }
+
+    public Guid? OrganizationUserId { get; set; }
+    public string? OrganizationUserName { get; set; }
+    public Guid? GrantedProjectId { get; set; }
+}
+
+public class UserServiceAccountAccessPolicyResponseModel : BaseAccessPolicyResponseModel
+{
+    private const string _objectName = "userServiceAccountAccessPolicy";
+
+    public UserServiceAccountAccessPolicyResponseModel(UserServiceAccountAccessPolicy accessPolicy)
+        : base(accessPolicy, _objectName)
+    {
+        OrganizationUserId = accessPolicy.OrganizationUserId;
+        GrantedServiceAccountId = accessPolicy.GrantedServiceAccountId;
+        OrganizationUserName = accessPolicy.User?.Name;
+    }
+
+    public UserServiceAccountAccessPolicyResponseModel() : base(new UserServiceAccountAccessPolicy(), _objectName)
+    {
+    }
+
+    public Guid? OrganizationUserId { get; set; }
+    public string? OrganizationUserName { get; set; }
+    public Guid? GrantedServiceAccountId { get; set; }
+}
+
+public class GroupProjectAccessPolicyResponseModel : BaseAccessPolicyResponseModel
+{
+    private const string _objectName = "groupProjectAccessPolicy";
+
+    public GroupProjectAccessPolicyResponseModel(GroupProjectAccessPolicy accessPolicy)
+        : base(accessPolicy, _objectName)
+    {
+        GroupId = accessPolicy.GroupId;
+        GrantedProjectId = accessPolicy.GrantedProjectId;
+        GroupName = accessPolicy.Group?.Name;
+    }
+
+    public GroupProjectAccessPolicyResponseModel() : base(new GroupProjectAccessPolicy(), _objectName)
+    {
+    }
+
+    public Guid? GroupId { get; set; }
+    public string? GroupName { get; set; }
+    public Guid? GrantedProjectId { get; set; }
+}
+
+public class GroupServiceAccountAccessPolicyResponseModel : BaseAccessPolicyResponseModel
+{
+    private const string _objectName = "groupServiceAccountAccessPolicy";
+
+    public GroupServiceAccountAccessPolicyResponseModel(GroupServiceAccountAccessPolicy accessPolicy)
+        : base(accessPolicy, _objectName)
+    {
+        GroupId = accessPolicy.GroupId;
+        GroupName = accessPolicy.Group?.Name;
+        GrantedServiceAccountId = accessPolicy.GrantedServiceAccountId;
+    }
+
+    public GroupServiceAccountAccessPolicyResponseModel() : base(new GroupServiceAccountAccessPolicy(), _objectName)
+    {
+    }
+
+    public Guid? GroupId { get; set; }
+    public string? GroupName { get; set; }
+    public Guid? GrantedServiceAccountId { get; set; }
+}
+
+public class ServiceAccountProjectAccessPolicyResponseModel : BaseAccessPolicyResponseModel
+{
+    private const string _objectName = "serviceAccountProjectAccessPolicy";
+
+    public ServiceAccountProjectAccessPolicyResponseModel(ServiceAccountProjectAccessPolicy accessPolicy)
+        : base(accessPolicy, _objectName)
+    {
+        ServiceAccountId = accessPolicy.ServiceAccountId;
+        GrantedProjectId = accessPolicy.GrantedProjectId;
+        ServiceAccountName = accessPolicy.ServiceAccount?.Name;
+    }
+
+    public ServiceAccountProjectAccessPolicyResponseModel()
+        : base(new ServiceAccountProjectAccessPolicy(), _objectName)
+    {
+    }
+
+    public Guid? ServiceAccountId { get; set; }
+    public string? ServiceAccountName { get; set; }
+    public Guid? GrantedProjectId { get; set; }
+}

src/Api/SecretManagerFeatures/Models/Response/ProjectAccessPoliciesResponseModel.cs

@@ -0,0 +1,43 @@
+using Bit.Core.Entities;
+using Bit.Core.Models.Api;
+
+namespace Bit.Api.SecretManagerFeatures.Models.Response;
+
+public class ProjectAccessPoliciesResponseModel : ResponseModel
+{
+    private const string _objectName = "projectAccessPolicies";
+
+    public ProjectAccessPoliciesResponseModel(IEnumerable<BaseAccessPolicy> baseAccessPolicies)
+        : base(_objectName)
+    {
+        if (baseAccessPolicies == null)
+        {
+            return;
+        }
+
+        foreach (var baseAccessPolicy in baseAccessPolicies)
+            switch (baseAccessPolicy)
+            {
+                case UserProjectAccessPolicy accessPolicy:
+                    UserAccessPolicies.Add(new UserProjectAccessPolicyResponseModel(accessPolicy));
+                    break;
+                case GroupProjectAccessPolicy accessPolicy:
+                    GroupAccessPolicies.Add(new GroupProjectAccessPolicyResponseModel(accessPolicy));
+                    break;
+                case ServiceAccountProjectAccessPolicy accessPolicy:
+                    ServiceAccountAccessPolicies.Add(
+                        new ServiceAccountProjectAccessPolicyResponseModel(accessPolicy));
+                    break;
+            }
+    }
+
+    public ProjectAccessPoliciesResponseModel() : base(_objectName)
+    {
+    }
+
+    public List<UserProjectAccessPolicyResponseModel> UserAccessPolicies { get; set; } = new();
+
+    public List<GroupProjectAccessPolicyResponseModel> GroupAccessPolicies { get; set; } = new();
+
+    public List<ServiceAccountProjectAccessPolicyResponseModel> ServiceAccountAccessPolicies { get; set; } = new();
+}

src/Core/Entities/AccessPolicy.cs

@@ -1,33 +1,8 @@
-using Bit.Core.Utilities;
+#nullable enable
+using Bit.Core.Utilities;
 
 namespace Bit.Core.Entities;
 
-public class AccessPolicy : ITableObject<Guid>
-{
-    public Guid Id { get; set; }
-
-    // Object to grant access from
-    public Guid? OrganizationUserId { get; set; }
-    public Guid? GroupId { get; set; }
-    public Guid? ServiceAccountId { get; set; }
-
-    // Object to grant access to
-    public Guid? GrantedProjectId { get; set; }
-    public Guid? GrantedServiceAccountId { get; set; }
-
-    // Access
-    public bool Read { get; set; }
-    public bool Write { get; set; }
-
-    public DateTime CreationDate { get; set; }
-    public DateTime RevisionDate { get; set; }
-
-    public void SetNewId()
-    {
-        Id = CoreHelpers.GenerateComb();
-    }
-}
-
 public abstract class BaseAccessPolicy
 {
     public Guid Id { get; set; }
@@ -36,8 +11,8 @@ public abstract class BaseAccessPolicy
     public bool Read { get; set; }
     public bool Write { get; set; }
 
-    public DateTime CreationDate { get; set; }
-    public DateTime RevisionDate { get; set; }
+    public DateTime CreationDate { get; set; } = DateTime.UtcNow;
+    public DateTime RevisionDate { get; set; } = DateTime.UtcNow;
 
     public void SetNewId()
     {
@@ -49,28 +24,33 @@ public class UserProjectAccessPolicy : BaseAccessPolicy
 {
     public Guid? OrganizationUserId { get; set; }
     public Guid? GrantedProjectId { get; set; }
+    public User? User { get; set; }
 }
 
 public class UserServiceAccountAccessPolicy : BaseAccessPolicy
 {
     public Guid? OrganizationUserId { get; set; }
     public Guid? GrantedServiceAccountId { get; set; }
+    public User? User { get; set; }
 }
 
 public class GroupProjectAccessPolicy : BaseAccessPolicy
 {
     public Guid? GroupId { get; set; }
     public Guid? GrantedProjectId { get; set; }
+    public Group? Group { get; set; }
 }
 
 public class GroupServiceAccountAccessPolicy : BaseAccessPolicy
 {
     public Guid? GroupId { get; set; }
     public Guid? GrantedServiceAccountId { get; set; }
+    public Group? Group { get; set; }
 }
 
 public class ServiceAccountProjectAccessPolicy : BaseAccessPolicy
 {
     public Guid? ServiceAccountId { get; set; }
     public Guid? GrantedProjectId { get; set; }
+    public ServiceAccount? ServiceAccount { get; set; }
 }

src/Core/Repositories/IAccessPolicyRepository.cs

@@ -1,7 +1,14 @@
-using Bit.Core.Entities;
+#nullable enable
+using Bit.Core.Entities;
 
 namespace Bit.Core.Repositories;
 
-public interface IAccessPolicyRepository : IRepository<AccessPolicy, Guid>
+public interface IAccessPolicyRepository
 {
+    Task<List<BaseAccessPolicy>> CreateManyAsync(List<BaseAccessPolicy> baseAccessPolicies);
+    Task<bool> AccessPolicyExists(BaseAccessPolicy baseAccessPolicy);
+    Task<BaseAccessPolicy?> GetByIdAsync(Guid id);
+    Task<IEnumerable<BaseAccessPolicy>?> GetManyByProjectId(Guid id);
+    Task ReplaceAsync(BaseAccessPolicy baseAccessPolicy);
+    Task DeleteAsync(Guid id);
 }

src/Core/SecretManagerFeatures/AccessPolicies/Interfaces/ICreateAccessPoliciesCommand.cs

@@ -0,0 +1,8 @@
+using Bit.Core.Entities;
+
+namespace Bit.Core.SecretManagerFeatures.AccessPolicies.Interfaces;
+
+public interface ICreateAccessPoliciesCommand
+{
+    Task<List<BaseAccessPolicy>> CreateAsync(List<BaseAccessPolicy> accessPolicies);
+}

src/Core/SecretManagerFeatures/AccessPolicies/Interfaces/IDeleteAccessPolicyCommand.cs

@@ -0,0 +1,6 @@
+namespace Bit.Core.SecretManagerFeatures.AccessPolicies.Interfaces;
+
+public interface IDeleteAccessPolicyCommand
+{
+    Task DeleteAsync(Guid id);
+}

src/Core/SecretManagerFeatures/AccessPolicies/Interfaces/IUpdateAccessPolicyCommand.cs

@@ -0,0 +1,8 @@
+using Bit.Core.Entities;
+
+namespace Bit.Core.SecretManagerFeatures.AccessPolicies.Interfaces;
+
+public interface IUpdateAccessPolicyCommand
+{
+    public Task<BaseAccessPolicy> UpdateAsync(Guid id, bool read, bool write);
+}

src/Infrastructure.EntityFramework/Models/AccessPolicy.cs

@@ -11,7 +11,10 @@ public class AccessPolicyMapperProfile : Profile
 {
     public AccessPolicyMapperProfile()
     {
-        CreateMap<Core.Entities.AccessPolicy, AccessPolicy>().ReverseMap();
+        CreateMap<Core.Entities.UserProjectAccessPolicy, UserProjectAccessPolicy>().ReverseMap()
+            .ForMember(dst => dst.User, opt => opt.MapFrom(src => src.OrganizationUser.User));
+        CreateMap<Core.Entities.GroupProjectAccessPolicy, GroupProjectAccessPolicy>().ReverseMap();
+        CreateMap<Core.Entities.ServiceAccountProjectAccessPolicy, ServiceAccountProjectAccessPolicy>().ReverseMap();
     }
 }
 

src/Infrastructure.EntityFramework/Repositories/AccessPolicyRepository.cs

@@ -1,27 +0,0 @@
-using AutoMapper;
-using Bit.Core.Repositories;
-using Bit.Infrastructure.EntityFramework.Models;
-using Microsoft.EntityFrameworkCore;
-using Microsoft.Extensions.DependencyInjection;
-using CoreAccessPolicy = Bit.Core.Entities.AccessPolicy;
-
-namespace Bit.Infrastructure.EntityFramework.Repositories;
-
-public class AccessPolicyRepository : IAccessPolicyRepository
-{
-    public AccessPolicyRepository(IServiceScopeFactory serviceScopeFactory, IMapper mapper)
-    {
-    }
-
-    protected Func<DatabaseContext, DbSet<AccessPolicy>> GetDbSet { get; private set; }
-
-    public Task<CoreAccessPolicy> GetByIdAsync(Guid id) => throw new NotImplementedException();
-
-    public Task<CoreAccessPolicy> CreateAsync(CoreAccessPolicy obj) => throw new NotImplementedException();
-
-    public Task ReplaceAsync(CoreAccessPolicy obj) => throw new NotImplementedException();
-
-    public Task UpsertAsync(CoreAccessPolicy obj) => throw new NotImplementedException();
-
-    public Task DeleteAsync(CoreAccessPolicy obj) => throw new NotImplementedException();
-}

src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs

@@ -17,6 +17,9 @@ public class DatabaseContext : DbContext
     { }
 
     public DbSet<AccessPolicy> AccessPolicies { get; set; }
+    public DbSet<UserProjectAccessPolicy> UserProjectAccessPolicy { get; set; }
+    public DbSet<GroupProjectAccessPolicy> GroupProjectAccessPolicy { get; set; }
+    public DbSet<ServiceAccountProjectAccessPolicy> ServiceAccountProjectAccessPolicy { get; set; }
     public DbSet<ApiKey> ApiKeys { get; set; }
     public DbSet<Cipher> Ciphers { get; set; }
     public DbSet<Collection> Collections { get; set; }