mirror of
https://github.com/bitwarden/server
synced 2025-12-17 16:53:23 +00:00
[PM-23921] [BEEEP] Add IOrganizationRequirements for each permission (#6105)
* Add BasePermissionRequirement and implement it for each permission * Add tests
This commit is contained in:
Thomas Rittson
GitHub
@@ -0,0 +1,24 @@
|
|||||||
|
using Bit.Core.Context;
|
||||||
|
using Bit.Core.Enums;
|
||||||
|
using Bit.Core.Models.Data;
|
||||||
|
|
||||||
|
namespace Bit.Api.AdminConsole.Authorization.Requirements;
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// A base implementation of <see cref="IOrganizationRequirement"/> which will authorize Owners, Admins, Providers,
|
||||||
|
/// and custom users with the permission specified by the permissionPicker constructor parameter. This is suitable
|
||||||
|
/// for most requirements related to a custom permission.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="permissionPicker">A function that returns a custom permission which will authorize the action.</param>
|
||||||
|
public abstract class BasePermissionRequirement(Func<Permissions, bool> permissionPicker) : IOrganizationRequirement
|
||||||
|
{
|
||||||
|
public async Task<bool> AuthorizeAsync(CurrentContextOrganization? organizationClaims,
|
||||||
|
Func<Task<bool>> isProviderUserForOrg)
|
||||||
|
=> organizationClaims switch
|
||||||
|
{
|
||||||
|
{ Type: OrganizationUserType.Owner } => true,
|
||||||
|
{ Type: OrganizationUserType.Admin } => true,
|
||||||
|
{ Type: OrganizationUserType.Custom } when permissionPicker(organizationClaims.Permissions) => true,
|
||||||
|
_ => await isProviderUserForOrg()
|
||||||
|
};
|
||||||
|
}
|
||||||
@@ -1,20 +0,0 @@
|
|||||||
#nullable enable
|
|
||||||
|
|
||||||
using Bit.Core.Context;
|
|
||||||
using Bit.Core.Enums;
|
|
||||||
|
|
||||||
namespace Bit.Api.AdminConsole.Authorization.Requirements;
|
|
||||||
|
|
||||||
public class ManageAccountRecoveryRequirement : IOrganizationRequirement
|
|
||||||
{
|
|
||||||
public async Task<bool> AuthorizeAsync(
|
|
||||||
CurrentContextOrganization? organizationClaims,
|
|
||||||
Func<Task<bool>> isProviderUserForOrg)
|
|
||||||
=> organizationClaims switch
|
|
||||||
{
|
|
||||||
{ Type: OrganizationUserType.Owner } => true,
|
|
||||||
{ Type: OrganizationUserType.Admin } => true,
|
|
||||||
{ Permissions.ManageResetPassword: true } => true,
|
|
||||||
_ => await isProviderUserForOrg()
|
|
||||||
};
|
|
||||||
}
|
|
||||||
@@ -1,20 +0,0 @@
|
|||||||
#nullable enable
|
|
||||||
|
|
||||||
using Bit.Core.Context;
|
|
||||||
using Bit.Core.Enums;
|
|
||||||
|
|
||||||
namespace Bit.Api.AdminConsole.Authorization.Requirements;
|
|
||||||
|
|
||||||
public class ManageUsersRequirement : IOrganizationRequirement
|
|
||||||
{
|
|
||||||
public async Task<bool> AuthorizeAsync(
|
|
||||||
CurrentContextOrganization? organizationClaims,
|
|
||||||
Func<Task<bool>> isProviderUserForOrg)
|
|
||||||
=> organizationClaims switch
|
|
||||||
{
|
|
||||||
{ Type: OrganizationUserType.Owner } => true,
|
|
||||||
{ Type: OrganizationUserType.Admin } => true,
|
|
||||||
{ Permissions.ManageUsers: true } => true,
|
|
||||||
_ => await isProviderUserForOrg()
|
|
||||||
};
|
|
||||||
}
|
|
||||||
@@ -0,0 +1,11 @@
|
|||||||
|
namespace Bit.Api.AdminConsole.Authorization.Requirements;
|
||||||
|
|
||||||
|
public class AccessEventLogsRequirement() : BasePermissionRequirement(p => p.AccessEventLogs);
|
||||||
|
public class AccessImportExportRequirement() : BasePermissionRequirement(p => p.AccessImportExport);
|
||||||
|
public class AccessReportsRequirement() : BasePermissionRequirement(p => p.AccessReports);
|
||||||
|
public class ManageAccountRecoveryRequirement() : BasePermissionRequirement(p => p.ManageResetPassword);
|
||||||
|
public class ManageGroupsRequirement() : BasePermissionRequirement(p => p.ManageGroups);
|
||||||
|
public class ManagePoliciesRequirement() : BasePermissionRequirement(p => p.ManagePolicies);
|
||||||
|
public class ManageScimRequirement() : BasePermissionRequirement(p => p.ManageScim);
|
||||||
|
public class ManageSsoRequirement() : BasePermissionRequirement(p => p.ManageSso);
|
||||||
|
public class ManageUsersRequirement() : BasePermissionRequirement(p => p.ManageUsers);
|
||||||
@@ -0,0 +1,66 @@
|
|||||||
|
using Bit.Api.AdminConsole.Authorization.Requirements;
|
||||||
|
using Bit.Core.Context;
|
||||||
|
using Bit.Core.Enums;
|
||||||
|
using Bit.Core.Test.AdminConsole.AutoFixture;
|
||||||
|
using Bit.Core.Test.AdminConsole.Helpers;
|
||||||
|
using Bit.Test.Common.AutoFixture.Attributes;
|
||||||
|
using Xunit;
|
||||||
|
|
||||||
|
namespace Bit.Api.Test.AdminConsole.Authorization.Requirements;
|
||||||
|
|
||||||
|
public class BasePermissionRequirementTests
|
||||||
|
{
|
||||||
|
[Theory, BitAutoData]
|
||||||
|
[CurrentContextOrganizationCustomize(Type = OrganizationUserType.Owner)]
|
||||||
|
public async Task Authorizes_Owners(CurrentContextOrganization organizationClaims)
|
||||||
|
{
|
||||||
|
var result = await new PermissionRequirement().AuthorizeAsync(organizationClaims, () => Task.FromResult(false));
|
||||||
|
Assert.True(result);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory, BitAutoData]
|
||||||
|
[CurrentContextOrganizationCustomize(Type = OrganizationUserType.Admin)]
|
||||||
|
public async Task Authorizes_Admins(CurrentContextOrganization organizationClaims)
|
||||||
|
{
|
||||||
|
var result = await new PermissionRequirement().AuthorizeAsync(organizationClaims, () => Task.FromResult(false));
|
||||||
|
Assert.True(result);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory, BitAutoData]
|
||||||
|
[CurrentContextOrganizationCustomize(Type = OrganizationUserType.User)]
|
||||||
|
public async Task Authorizes_Providers(CurrentContextOrganization organizationClaims)
|
||||||
|
{
|
||||||
|
var result = await new PermissionRequirement().AuthorizeAsync(organizationClaims, () => Task.FromResult(true));
|
||||||
|
Assert.True(result);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory, BitAutoData]
|
||||||
|
[CurrentContextOrganizationCustomize(Type = OrganizationUserType.Custom)]
|
||||||
|
public async Task Authorizes_CustomPermission(CurrentContextOrganization organizationClaims)
|
||||||
|
{
|
||||||
|
organizationClaims.Permissions.ManageGroups = true;
|
||||||
|
var result = await new TestCustomPermissionRequirement().AuthorizeAsync(organizationClaims, () => Task.FromResult(false));
|
||||||
|
Assert.True(result);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory, BitAutoData]
|
||||||
|
[CurrentContextOrganizationCustomize(Type = OrganizationUserType.User)]
|
||||||
|
public async Task DoesNotAuthorize_Users(CurrentContextOrganization organizationClaims)
|
||||||
|
{
|
||||||
|
var result = await new PermissionRequirement().AuthorizeAsync(organizationClaims, () => Task.FromResult(false));
|
||||||
|
Assert.False(result);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory, BitAutoData]
|
||||||
|
[CurrentContextOrganizationCustomize(Type = OrganizationUserType.Custom)]
|
||||||
|
public async Task DoesNotAuthorize_OtherCustomPermissions(CurrentContextOrganization organizationClaims)
|
||||||
|
{
|
||||||
|
organizationClaims.Permissions.ManageGroups = true;
|
||||||
|
organizationClaims.Permissions = organizationClaims.Permissions.Invert();
|
||||||
|
var result = await new TestCustomPermissionRequirement().AuthorizeAsync(organizationClaims, () => Task.FromResult(false));
|
||||||
|
Assert.False(result);
|
||||||
|
}
|
||||||
|
|
||||||
|
private class PermissionRequirement() : BasePermissionRequirement(_ => false);
|
||||||
|
private class TestCustomPermissionRequirement() : BasePermissionRequirement(p => p.ManageGroups);
|
||||||
|
}
|
||||||
@@ -0,0 +1,88 @@
|
|||||||
|
using Bit.Api.AdminConsole.Authorization;
|
||||||
|
using Bit.Api.AdminConsole.Authorization.Requirements;
|
||||||
|
using Bit.Core.Context;
|
||||||
|
using Bit.Core.Enums;
|
||||||
|
using Bit.Core.Models.Data;
|
||||||
|
using Bit.Core.Test.AdminConsole.AutoFixture;
|
||||||
|
using Bit.Core.Test.AdminConsole.Helpers;
|
||||||
|
using Bit.Test.Common.AutoFixture.Attributes;
|
||||||
|
using Xunit;
|
||||||
|
|
||||||
|
namespace Bit.Api.Test.AdminConsole.Authorization.Requirements;
|
||||||
|
|
||||||
|
public class PermissionRequirementsTests
|
||||||
|
{
|
||||||
|
/// <summary>
|
||||||
|
/// Correlates each IOrganizationRequirement with its custom permission. If you add a new requirement,
|
||||||
|
/// add a new entry here to have it automatically included in the tests below.
|
||||||
|
/// </summary>
|
||||||
|
public static IEnumerable<object[]> RequirementData => new List<object[]>
|
||||||
|
{
|
||||||
|
new object[] { new AccessEventLogsRequirement(), nameof(Permissions.AccessEventLogs) },
|
||||||
|
new object[] { new AccessImportExportRequirement(), nameof(Permissions.AccessImportExport) },
|
||||||
|
new object[] { new AccessReportsRequirement(), nameof(Permissions.AccessReports) },
|
||||||
|
new object[] { new ManageAccountRecoveryRequirement(), nameof(Permissions.ManageResetPassword) },
|
||||||
|
new object[] { new ManageGroupsRequirement(), nameof(Permissions.ManageGroups) },
|
||||||
|
new object[] { new ManagePoliciesRequirement(), nameof(Permissions.ManagePolicies) },
|
||||||
|
new object[] { new ManageScimRequirement(), nameof(Permissions.ManageScim) },
|
||||||
|
new object[] { new ManageSsoRequirement(), nameof(Permissions.ManageSso) },
|
||||||
|
new object[] { new ManageUsersRequirement(), nameof(Permissions.ManageUsers) },
|
||||||
|
};
|
||||||
|
|
||||||
|
[Theory]
|
||||||
|
[BitMemberAutoData(nameof(RequirementData))]
|
||||||
|
[CurrentContextOrganizationCustomize(Type = OrganizationUserType.User)]
|
||||||
|
public async Task Authorizes_Provider(IOrganizationRequirement requirement, string _, CurrentContextOrganization organization)
|
||||||
|
{
|
||||||
|
var result = await requirement.AuthorizeAsync(organization, () => Task.FromResult(true));
|
||||||
|
Assert.True(result);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory]
|
||||||
|
[BitMemberAutoData(nameof(RequirementData))]
|
||||||
|
[CurrentContextOrganizationCustomize(Type = OrganizationUserType.Owner)]
|
||||||
|
public async Task Authorizes_Owner(IOrganizationRequirement requirement, string _, CurrentContextOrganization organization)
|
||||||
|
{
|
||||||
|
var result = await requirement.AuthorizeAsync(organization, () => Task.FromResult(false));
|
||||||
|
Assert.True(result);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory]
|
||||||
|
[BitMemberAutoData(nameof(RequirementData))]
|
||||||
|
[CurrentContextOrganizationCustomize(Type = OrganizationUserType.Admin)]
|
||||||
|
public async Task Authorizes_Admin(IOrganizationRequirement requirement, string _, CurrentContextOrganization organization)
|
||||||
|
{
|
||||||
|
var result = await requirement.AuthorizeAsync(organization, () => Task.FromResult(false));
|
||||||
|
Assert.True(result);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory]
|
||||||
|
[BitMemberAutoData(nameof(RequirementData))]
|
||||||
|
[CurrentContextOrganizationCustomize(Type = OrganizationUserType.Custom)]
|
||||||
|
public async Task Authorizes_Custom_With_Correct_Permission(IOrganizationRequirement requirement, string permissionName, CurrentContextOrganization organization)
|
||||||
|
{
|
||||||
|
organization.Permissions.SetPermission(permissionName, true);
|
||||||
|
var result = await requirement.AuthorizeAsync(organization, () => Task.FromResult(false));
|
||||||
|
Assert.True(result);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory]
|
||||||
|
[BitMemberAutoData(nameof(RequirementData))]
|
||||||
|
[CurrentContextOrganizationCustomize(Type = OrganizationUserType.Custom)]
|
||||||
|
public async Task DoesNotAuthorize_Custom_With_Other_Permissions(IOrganizationRequirement requirement, string permissionName, CurrentContextOrganization organization)
|
||||||
|
{
|
||||||
|
organization.Permissions.SetPermission(permissionName, true);
|
||||||
|
organization.Permissions = organization.Permissions.Invert();
|
||||||
|
var result = await requirement.AuthorizeAsync(organization, () => Task.FromResult(false));
|
||||||
|
Assert.False(result);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Theory]
|
||||||
|
[BitMemberAutoData(nameof(RequirementData))]
|
||||||
|
[CurrentContextOrganizationCustomize(Type = OrganizationUserType.User)]
|
||||||
|
public async Task DoesNotAuthorize_User(IOrganizationRequirement requirement, string _, CurrentContextOrganization organization)
|
||||||
|
{
|
||||||
|
var result = await requirement.AuthorizeAsync(organization, () => Task.FromResult(false));
|
||||||
|
Assert.False(result);
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -6,6 +6,23 @@ namespace Bit.Core.Test.AdminConsole.Helpers;
|
|||||||
|
|
||||||
public static class PermissionsHelpers
|
public static class PermissionsHelpers
|
||||||
{
|
{
|
||||||
|
/// <summary>
|
||||||
|
/// Sets the specified permission.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="permissionName">The permission name specified as a string - using `nameof` is highly recommended.</param>
|
||||||
|
/// <param name="value">The value to set the permission to.</param>
|
||||||
|
/// <returns>No value; this mutates the permissions object.</returns>
|
||||||
|
public static void SetPermission(this Permissions permissions, string permissionName, bool value)
|
||||||
|
{
|
||||||
|
var prop = typeof(Permissions).GetProperty(permissionName);
|
||||||
|
if (prop == null)
|
||||||
|
{
|
||||||
|
throw new NullReferenceException("Invalid property name.");
|
||||||
|
}
|
||||||
|
|
||||||
|
prop.SetValue(permissions, true);
|
||||||
|
}
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
/// Return a new Permission object with inverted permissions.
|
/// Return a new Permission object with inverted permissions.
|
||||||
/// This is useful to test negative cases, e.g. "all other permissions should fail".
|
/// This is useful to test negative cases, e.g. "all other permissions should fail".
|
||||||
|
|||||||
Reference in New Issue
Block a user