[SM-923] Add project service accounts access policies management endpoints (#3993)

* Add new models * Update repositories * Add new authz handler * Add new query * Add new command * Add authz, command, and query to DI * Add new endpoint to controller * Add query unit tests * Add api unit tests * Add api integration tests
2025-12-14 15:23:42 +00:00 · 2024-05-02 11:06:20 -05:00
parent e302ee1520
commit 7f8cea58d0
23 changed files with 1559 additions and 29 deletions
--- a/src/Api/SecretsManager/Controllers/AccessPoliciesController.cs
+++ b/src/Api/SecretsManager/Controllers/AccessPoliciesController.cs
@@ -29,8 +29,10 @@ public class AccessPoliciesController : Controller
    private readonly IServiceAccountRepository _serviceAccountRepository;
    private readonly IUpdateAccessPolicyCommand _updateAccessPolicyCommand;
    private readonly IUpdateServiceAccountGrantedPoliciesCommand _updateServiceAccountGrantedPoliciesCommand;
+    private readonly IUpdateProjectServiceAccountsAccessPoliciesCommand _updateProjectServiceAccountsAccessPoliciesCommand;
    private readonly IAccessClientQuery _accessClientQuery;
    private readonly IServiceAccountGrantedPolicyUpdatesQuery _serviceAccountGrantedPolicyUpdatesQuery;
+    private readonly IProjectServiceAccountsAccessPoliciesUpdatesQuery _projectServiceAccountsAccessPoliciesUpdatesQuery;
    private readonly IUserService _userService;
    private readonly IAuthorizationService _authorizationService;

@@ -43,9 +45,11 @@ public class AccessPoliciesController : Controller
        IProjectRepository projectRepository,
        IAccessClientQuery accessClientQuery,
        IServiceAccountGrantedPolicyUpdatesQuery serviceAccountGrantedPolicyUpdatesQuery,
+        IProjectServiceAccountsAccessPoliciesUpdatesQuery projectServiceAccountsAccessPoliciesUpdatesQuery,
        IUpdateServiceAccountGrantedPoliciesCommand updateServiceAccountGrantedPoliciesCommand,
        ICreateAccessPoliciesCommand createAccessPoliciesCommand,
        IDeleteAccessPolicyCommand deleteAccessPolicyCommand,
+        IUpdateProjectServiceAccountsAccessPoliciesCommand updateProjectServiceAccountsAccessPoliciesCommand,
        IUpdateAccessPolicyCommand updateAccessPolicyCommand)
    {
        _authorizationService = authorizationService;
@@ -60,6 +64,8 @@ public class AccessPoliciesController : Controller
        _updateServiceAccountGrantedPoliciesCommand = updateServiceAccountGrantedPoliciesCommand;
        _accessClientQuery = accessClientQuery;
        _serviceAccountGrantedPolicyUpdatesQuery = serviceAccountGrantedPolicyUpdatesQuery;
+        _projectServiceAccountsAccessPoliciesUpdatesQuery = projectServiceAccountsAccessPoliciesUpdatesQuery;
+        _updateProjectServiceAccountsAccessPoliciesCommand = updateProjectServiceAccountsAccessPoliciesCommand;
    }

    [HttpPost("/projects/{id}/access-policies")]
@@ -296,6 +302,41 @@ public class AccessPoliciesController : Controller
        return await GetServiceAccountGrantedPoliciesAsync(serviceAccount);
    }

+    [HttpGet("/projects/{id}/access-policies/service-accounts")]
+    public async Task<ProjectServiceAccountsAccessPoliciesResponseModel>
+        GetProjectServiceAccountsAccessPoliciesAsync(
+            [FromRoute] Guid id)
+    {
+        var project = await _projectRepository.GetByIdAsync(id);
+        await CheckUserHasWriteAccessToProjectAsync(project);
+        var results =
+            await _accessPolicyRepository.GetProjectServiceAccountsAccessPoliciesAsync(id);
+        return new ProjectServiceAccountsAccessPoliciesResponseModel(results);
+    }
+
+    [HttpPut("/projects/{id}/access-policies/service-accounts")]
+    public async Task<ProjectServiceAccountsAccessPoliciesResponseModel>
+        PutProjectServiceAccountsAccessPoliciesAsync([FromRoute] Guid id,
+            [FromBody] ProjectServiceAccountsAccessPoliciesRequestModel request)
+    {
+        var project = await _projectRepository.GetByIdAsync(id) ?? throw new NotFoundException();
+        var accessPoliciesUpdates =
+            await _projectServiceAccountsAccessPoliciesUpdatesQuery.GetAsync(
+                request.ToProjectServiceAccountsAccessPolicies(project));
+
+        var authorizationResult = await _authorizationService.AuthorizeAsync(User, accessPoliciesUpdates,
+            ProjectServiceAccountsAccessPoliciesOperations.Updates);
+        if (!authorizationResult.Succeeded)
+        {
+            throw new NotFoundException();
+        }
+
+        await _updateProjectServiceAccountsAccessPoliciesCommand.UpdateAsync(accessPoliciesUpdates);
+
+        var results = await _accessPolicyRepository.GetProjectServiceAccountsAccessPoliciesAsync(id);
+        return new ProjectServiceAccountsAccessPoliciesResponseModel(results);
+    }
+
    private async Task<(AccessClientType AccessClientType, Guid UserId)> CheckUserHasWriteAccessToProjectAsync(Project project)
    {
        if (project == null)