[SM-923] Add project service accounts access policies management endpoints (#3993)

* Add new models * Update repositories * Add new authz handler * Add new query * Add new command * Add authz, command, and query to DI * Add new endpoint to controller * Add query unit tests * Add api unit tests * Add api integration tests
2025-12-18 09:13:19 +00:00 · 2024-05-02 11:06:20 -05:00
parent e302ee1520
commit 7f8cea58d0
23 changed files with 1559 additions and 29 deletions
--- a/src/Core/SecretsManager/Models/Data/AccessPolicyUpdates/ProjectServiceAccountsAccessPoliciesUpdates.cs
+++ b/src/Core/SecretsManager/Models/Data/AccessPolicyUpdates/ProjectServiceAccountsAccessPoliciesUpdates.cs
@@ -0,0 +1,9 @@
+#nullable enable
+namespace Bit.Core.SecretsManager.Models.Data.AccessPolicyUpdates;
+
+public class ProjectServiceAccountsAccessPoliciesUpdates
+{
+    public Guid ProjectId { get; set; }
+    public Guid OrganizationId { get; set; }
+    public IEnumerable<ServiceAccountProjectAccessPolicyUpdate> ServiceAccountAccessPolicyUpdates { get; set; } = [];
+}
--- a/src/Core/SecretsManager/Models/Data/ProjectServiceAccountsAccessPolicies.cs
+++ b/src/Core/SecretsManager/Models/Data/ProjectServiceAccountsAccessPolicies.cs
@@ -0,0 +1,80 @@
+#nullable enable
+using Bit.Core.SecretsManager.Entities;
+using Bit.Core.SecretsManager.Enums.AccessPolicies;
+using Bit.Core.SecretsManager.Models.Data.AccessPolicyUpdates;
+
+namespace Bit.Core.SecretsManager.Models.Data;
+
+public class ProjectServiceAccountsAccessPolicies
+{
+    public ProjectServiceAccountsAccessPolicies()
+    {
+    }
+
+    public ProjectServiceAccountsAccessPolicies(Guid projectId,
+        IEnumerable<BaseAccessPolicy> policies)
+    {
+        ProjectId = projectId;
+        ServiceAccountAccessPolicies = policies
+            .OfType<ServiceAccountProjectAccessPolicy>()
+            .ToList();
+
+        var project = ServiceAccountAccessPolicies.FirstOrDefault()?.GrantedProject;
+        if (project != null)
+        {
+            OrganizationId = project.OrganizationId;
+        }
+    }
+
+    public Guid ProjectId { get; set; }
+    public Guid OrganizationId { get; set; }
+    public IEnumerable<ServiceAccountProjectAccessPolicy> ServiceAccountAccessPolicies { get; set; } = [];
+
+    public ProjectServiceAccountsAccessPoliciesUpdates GetPolicyUpdates(ProjectServiceAccountsAccessPolicies requested)
+    {
+        var currentServiceAccountIds = GetServiceAccountIds(ServiceAccountAccessPolicies);
+        var requestedServiceAccountIds = GetServiceAccountIds(requested.ServiceAccountAccessPolicies);
+
+        var serviceAccountIdsToBeDeleted = currentServiceAccountIds.Except(requestedServiceAccountIds).ToList();
+        var serviceAccountIdsToBeCreated = requestedServiceAccountIds.Except(currentServiceAccountIds).ToList();
+        var serviceAccountIdsToBeUpdated = GetServiceAccountIdsToBeUpdated(requested);
+
+        var policiesToBeDeleted =
+            CreatePolicyUpdates(ServiceAccountAccessPolicies, serviceAccountIdsToBeDeleted,
+                AccessPolicyOperation.Delete);
+        var policiesToBeCreated = CreatePolicyUpdates(requested.ServiceAccountAccessPolicies,
+            serviceAccountIdsToBeCreated,
+            AccessPolicyOperation.Create);
+        var policiesToBeUpdated = CreatePolicyUpdates(requested.ServiceAccountAccessPolicies,
+            serviceAccountIdsToBeUpdated,
+            AccessPolicyOperation.Update);
+
+        return new ProjectServiceAccountsAccessPoliciesUpdates
+        {
+            OrganizationId = OrganizationId,
+            ProjectId = ProjectId,
+            ServiceAccountAccessPolicyUpdates =
+                policiesToBeDeleted.Concat(policiesToBeCreated).Concat(policiesToBeUpdated)
+        };
+    }
+
+    private static List<ServiceAccountProjectAccessPolicyUpdate> CreatePolicyUpdates(
+        IEnumerable<ServiceAccountProjectAccessPolicy> policies, List<Guid> serviceAccountIds,
+        AccessPolicyOperation operation) =>
+        policies
+            .Where(ap => serviceAccountIds.Contains(ap.ServiceAccountId!.Value))
+            .Select(ap => new ServiceAccountProjectAccessPolicyUpdate { Operation = operation, AccessPolicy = ap })
+            .ToList();
+
+    private List<Guid> GetServiceAccountIdsToBeUpdated(ProjectServiceAccountsAccessPolicies requested) =>
+        ServiceAccountAccessPolicies
+            .Where(currentAp => requested.ServiceAccountAccessPolicies.Any(requestedAp =>
+                requestedAp.GrantedProjectId == currentAp.GrantedProjectId &&
+                requestedAp.ServiceAccountId == currentAp.ServiceAccountId &&
+                (requestedAp.Write != currentAp.Write || requestedAp.Read != currentAp.Read)))
+            .Select(ap => ap.ServiceAccountId!.Value)
+            .ToList();
+
+    private static List<Guid> GetServiceAccountIds(IEnumerable<ServiceAccountProjectAccessPolicy> policies) =>
+        policies.Select(ap => ap.ServiceAccountId!.Value).ToList();
+}