bitwarden/server
1
0
Fork 0
mirror of https://github.com/bitwarden/server synced 2026-01-06 18:43:36 +00:00
Code Issues Releases Wiki Activity

[AC-1809] Update OrganizationAbility with Collection Management Settings (#3571)

Browse Source 
* feat: Update OrganizationAbility with LimitCollectionCreationDeletion, refs AC-1809

* feat: Update OrganizationAbility constructor usage to pass feature flag state, refs AC-1809

* feat: Update EF retrieval of org abilities to include new property from database, refs AC-1809

* feat: Update sproc to include LimitCollectionCreationDeletion property and create migration, refs AC-1809

* feat: Inject ApplicationCache into handler accessing LimitCollectionCreationDeletion, refs AC-1809

* feat: remove collection management settings from CurrentContextOrganization and update tests, refs AC-1809

* feat: add AllowAdminAccessToAllCollectionItems to OrganizationAbility pipeline, refs AC-1809

---------

Co-authored-by: Thomas Rittson <trittson@bitwarden.com>
Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
This commit is contained in:
Vincent Salucci
2023-12-27 18:07:06 -06:00
committed by GitHub
parent 2ab35e389c
commit 71def39015
12 changed files with 257 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
src/Api/Vault/AuthorizationHandlers/Collections/BulkCollectionAuthorizationHandler.cs
View File

@@ -4,6 +4,7 @@ using Bit.Core.Context;
using Bit.Core.Entities;
using Bit.Core.Enums;
using Bit.Core.Exceptions;
using Bit.Core.Models.Data.Organizations;
using Bit.Core.Repositories;
using Bit.Core.Services;
using Bit.Core.Utilities;
@@ -20,6 +21,7 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
private readonly ICurrentContext _currentContext;
private readonly ICollectionRepository _collectionRepository;
private readonly IFeatureService _featureService;
private readonly IApplicationCacheService _applicationCacheService;
private Guid _targetOrganizationId;
private bool FlexibleCollectionsIsEnabled => _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
@@ -27,11 +29,13 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
public BulkCollectionAuthorizationHandler(
ICurrentContext currentContext,
ICollectionRepository collectionRepository,
IFeatureService featureService)
IFeatureService featureService,
IApplicationCacheService applicationCacheService)
{
_currentContext = currentContext;
_collectionRepository = collectionRepository;
_featureService = featureService;
_applicationCacheService = applicationCacheService;
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
@@ -84,7 +88,7 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
case not null when requirement == BulkCollectionOperations.Update:
case not null when requirement == BulkCollectionOperations.ModifyAccess:
await CanUpdateCollection(context, requirement, resources, org);
await CanUpdateCollectionAsync(context, requirement, resources, org);
break;
case not null when requirement == BulkCollectionOperations.Delete:
@@ -96,10 +100,8 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
private async Task CanCreateAsync(AuthorizationHandlerContext context, IAuthorizationRequirement requirement,
CurrentContextOrganization? org)
{
// If the limit collection management setting is disabled, allow any user to create collections
// Otherwise, Owners, Admins, and users with CreateNewCollections permission can always create collections
// Owners, Admins, and users with CreateNewCollections permission can always create collections
if (org is
{ LimitCollectionCreationDeletion: false } or
{ Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
{ Permissions.CreateNewCollections: true })
{
@@ -107,6 +109,13 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
return;
}
// If the limit collection management setting is disabled, allow any user to create collections
if (await GetOrganizationAbilityAsync(org) is { LimitCollectionCreationDeletion: false })
{
context.Succeed(requirement);
return;
}
// Allow provider users to create collections if they are a provider for the target organization
if (await _currentContext.ProviderUserForOrgAsync(_targetOrganizationId))
{
@@ -182,7 +191,7 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
/// <summary>
/// Ensures the acting user is allowed to update the target collections or manage access permissions for them.
/// </summary>
private async Task CanUpdateCollection(AuthorizationHandlerContext context,
private async Task CanUpdateCollectionAsync(AuthorizationHandlerContext context,
IAuthorizationRequirement requirement, ICollection<Collection> resources,
CurrentContextOrganization? org)
{
@@ -226,9 +235,10 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
return;
}
// Check for non-null org here: the user must be apart of the organization for this setting to take affect
// The limit collection management setting is disabled,
// ensure acting user has manage permissions for all collections being deleted
if (org is { LimitCollectionCreationDeletion: false })
if (await GetOrganizationAbilityAsync(org) is { LimitCollectionCreationDeletion: false })
{
var canManageCollections = await CanManageCollectionsAsync(resources, org);
if (canManageCollections)
@@ -261,4 +271,19 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
// Check if the acting user has access to all target collections
return targetCollections.All(tc => assignedCollectionIds.Contains(tc.Id));
}
private async Task<OrganizationAbility?> GetOrganizationAbilityAsync(CurrentContextOrganization? organization)
{
// If the CurrentContextOrganization is null, then the user isn't a member of the org so the setting is
// irrelevant
if (organization == null)
{
return null;
}
(await _applicationCacheService.GetOrganizationAbilitiesAsync())
.TryGetValue(organization.Id, out var organizationAbility);
return organizationAbility;
}
}

33
src/Api/Vault/AuthorizationHandlers/Groups/GroupAuthorizationHandler.cs
View File

@@ -3,6 +3,7 @@ using Bit.Core;
using Bit.Core.Context;
using Bit.Core.Enums;
using Bit.Core.Exceptions;
using Bit.Core.Models.Data.Organizations;
using Bit.Core.Services;
using Microsoft.AspNetCore.Authorization;
@@ -16,15 +17,18 @@ public class GroupAuthorizationHandler : AuthorizationHandler<GroupOperationRequ
{
private readonly ICurrentContext _currentContext;
private readonly IFeatureService _featureService;
private readonly IApplicationCacheService _applicationCacheService;
private bool FlexibleCollectionsIsEnabled => _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
public GroupAuthorizationHandler(
ICurrentContext currentContext,
IFeatureService featureService)
IFeatureService featureService,
IApplicationCacheService applicationCacheService)
{
_currentContext = currentContext;
_featureService = featureService;
_applicationCacheService = applicationCacheService;
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
@@ -62,10 +66,8 @@ public class GroupAuthorizationHandler : AuthorizationHandler<GroupOperationRequ
private async Task CanReadAllAsync(AuthorizationHandlerContext context, GroupOperationRequirement requirement,
CurrentContextOrganization? org)
{
// If the limit collection management setting is disabled, allow any user to read all groups
// Otherwise, Owners, Admins, and users with any of ManageGroups, ManageUsers, EditAnyCollection, DeleteAnyCollection, CreateNewCollections permissions can always read all groups
// Owners, Admins, and users with any of ManageGroups, ManageUsers, EditAnyCollection, DeleteAnyCollection, CreateNewCollections permissions can always read all groups
if (org is
{ LimitCollectionCreationDeletion: false } or
{ Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
{ Permissions.ManageGroups: true } or
{ Permissions.ManageUsers: true } or
@@ -77,10 +79,33 @@ public class GroupAuthorizationHandler : AuthorizationHandler<GroupOperationRequ
return;
}
// Check for non-null org here: the user must be apart of the organization for this setting to take affect
// If the limit collection management setting is disabled, allow any user to read all groups
if (await GetOrganizationAbilityAsync(org) is { LimitCollectionCreationDeletion: false })
{
context.Succeed(requirement);
return;
}
// Allow provider users to read all groups if they are a provider for the target organization
if (await _currentContext.ProviderUserForOrgAsync(requirement.OrganizationId))
{
context.Succeed(requirement);
}
}
private async Task<OrganizationAbility?> GetOrganizationAbilityAsync(CurrentContextOrganization? organization)
{
// If the CurrentContextOrganization is null, then the user isn't a member of the org so the setting is
// irrelevant
if (organization == null)
{
return null;
}
(await _applicationCacheService.GetOrganizationAbilitiesAsync())
.TryGetValue(organization.Id, out var organizationAbility);
return organizationAbility;
}
}

30
src/Api/Vault/AuthorizationHandlers/OrganizationUsers/OrganizationUserAuthorizationHandler.cs
View File

@@ -3,6 +3,7 @@ using Bit.Core;
using Bit.Core.Context;
using Bit.Core.Enums;
using Bit.Core.Exceptions;
using Bit.Core.Models.Data.Organizations;
using Bit.Core.Services;
using Microsoft.AspNetCore.Authorization;
@@ -16,15 +17,18 @@ public class OrganizationUserAuthorizationHandler : AuthorizationHandler<Organiz
{
private readonly ICurrentContext _currentContext;
private readonly IFeatureService _featureService;
private readonly IApplicationCacheService _applicationCacheService;
private bool FlexibleCollectionsIsEnabled => _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
public OrganizationUserAuthorizationHandler(
ICurrentContext currentContext,
IFeatureService featureService)
IFeatureService featureService,
IApplicationCacheService applicationCacheService)
{
_currentContext = currentContext;
_featureService = featureService;
_applicationCacheService = applicationCacheService;
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
@@ -64,7 +68,6 @@ public class OrganizationUserAuthorizationHandler : AuthorizationHandler<Organiz
// If the limit collection management setting is disabled, allow any user to read all organization users
// Otherwise, Owners, Admins, and users with any of ManageGroups, ManageUsers, EditAnyCollection, DeleteAnyCollection, CreateNewCollections permissions can always read all organization users
if (org is
{ LimitCollectionCreationDeletion: false } or
{ Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
{ Permissions.ManageGroups: true } or
{ Permissions.ManageUsers: true } or
@@ -76,10 +79,33 @@ public class OrganizationUserAuthorizationHandler : AuthorizationHandler<Organiz
return;
}
// Check for non-null org here: the user must be apart of the organization for this setting to take affect
// If the limit collection management setting is disabled, allow any user to read all organization users
if (await GetOrganizationAbilityAsync(org) is { LimitCollectionCreationDeletion: false })
{
context.Succeed(requirement);
return;
}
// Allow provider users to read all organization users if they are a provider for the target organization
if (await _currentContext.ProviderUserForOrgAsync(requirement.OrganizationId))
{
context.Succeed(requirement);
}
}
private async Task<OrganizationAbility?> GetOrganizationAbilityAsync(CurrentContextOrganization? organization)
{
// If the CurrentContextOrganization is null, then the user isn't a member of the org so the setting is
// irrelevant
if (organization == null)
{
return null;
}
(await _applicationCacheService.GetOrganizationAbilitiesAsync())
.TryGetValue(organization.Id, out var organizationAbility);
return organizationAbility;
}
}