[AC-1174] CollectionUser and CollectionGroup authorization handlers (#3194)

* [AC-1174] Introduce BulkAuthorizationHandler.cs * [AC-1174] Introduce CollectionUserAuthorizationHandler * [AC-1174] Add CreateForNewCollection CollectionUser requirement * [AC-1174] Add some more details to CollectionCustomization * [AC-1174] Formatting * [AC-1174] Add CollectionGroupOperation.cs * [AC-1174] Introduce CollectionGroupAuthorizationHandler.cs * [AC-1174] Cleanup CollectionFixture customization Implement and use re-usable extension method to support seeded Guids * [AC-1174] Introduce WithValueFromList AutoFixtureExtensions Modify CollectionCustomization to use multiple organization Ids for auto generated test data * [AC-1174] Simplify CollectionUserAuthorizationHandler.cs Modify the authorization handler to only perform authorization logic. Validation logic will need to be handled by any calling commands/controllers instead. * [AC-1174] Introduce shared CollectionAccessAuthorizationHandlerBase A shared base authorization handler was created for both CollectionUser and CollectionGroup resources, as they share the same underlying management authorization logic. * [AC-1174] Update CollectionUserAuthorizationHandler and CollectionGroupAuthorizationHandler to use the new CollectionAccessAuthorizationHandlerBase class * [AC-1174] Formatting * [AC-1174] Cleanup typo and redundant ToList() call * [AC-1174] Add check for provider users * [AC-1174] Reduce nested loops * [AC-1174] Introduce ICollectionAccess.cs * [AC-1174] Remove individual CollectionGroup and CollectionUser auth handlers and use base class instead * [AC-1174] Tweak unit test to fail minimally * [AC-1174] Reorganize authorization handlers in Core project * [AC-1174] Introduce new AddCoreAuthorizationHandlers() extension method * [AC-1174] Move CollectionAccessAuthorizationHandler into Api project * [AC-1174] Move CollectionFixture to Vault folder * [AC-1174] Rename operation to CreateUpdateDelete * [AC-1174] Require single organization for collection access authorization handler - Add requirement that all target collections must belong to the same organization - Simplify logic related to multiple organizations - Update tests and helpers - Use ToHashSet to improve lookup time * [AC-1174] Fix null reference exception * [AC-1174] Throw bad request exception when collections belong to different organizations * [AC-1174] Switch to CollectionAuthorizationHandler instead of CollectionAccessAuthorizationHandler to reduce complexity
2026-01-03 17:14:00 +00:00 · 2023-08-30 14:13:58 -07:00
parent e87c20c7a1
commit 5dc3ca85c3
9 changed files with 497 additions and 1 deletions
--- a/src/Core/Utilities/BulkAuthorizationHandler.cs
+++ b/src/Core/Utilities/BulkAuthorizationHandler.cs
@@ -0,0 +1,40 @@
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Core.Utilities;
+
+/// <summary>
+/// Allows a single authorization handler implementation to handle requirements for
+/// both singular or bulk operations on single or multiple resources.
+/// </summary>
+/// <typeparam name="TRequirement">The type of the requirement to evaluate.</typeparam>
+/// <typeparam name="TResource">The type of the resource(s) that will be evaluated.</typeparam>
+public abstract class BulkAuthorizationHandler<TRequirement, TResource> : AuthorizationHandler<TRequirement>
+    where TRequirement : IAuthorizationRequirement
+{
+    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, TRequirement requirement)
+    {
+        // Attempt to get the resource(s) from the context
+        var bulkResources = GetBulkResourceFromContext(context);
+
+        // No resources of the expected type were found in the context, nothing to evaluate
+        if (bulkResources == null)
+        {
+            return;
+        }
+
+        await HandleRequirementAsync(context, requirement, bulkResources);
+    }
+
+    private static ICollection<TResource> GetBulkResourceFromContext(AuthorizationHandlerContext context)
+    {
+        return context.Resource switch
+        {
+            TResource resource => new List<TResource> { resource },
+            IEnumerable<TResource> resources => resources.ToList(),
+            _ => null
+        };
+    }
+
+    protected abstract Task HandleRequirementAsync(AuthorizationHandlerContext context, TRequirement requirement,
+        ICollection<TResource> resources);
+}