mirror of
https://github.com/bitwarden/server
synced 2025-12-16 00:03:54 +00:00
[PM-23921] [BEEEP] Add IOrganizationRequirements for each permission (#6105)
* Add BasePermissionRequirement and implement it for each permission * Add tests
This commit is contained in:
Thomas Rittson
GitHub
@@ -0,0 +1,24 @@
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Models.Data;
|
||||
|
||||
namespace Bit.Api.AdminConsole.Authorization.Requirements;
|
||||
|
||||
/// <summary>
|
||||
/// A base implementation of <see cref="IOrganizationRequirement"/> which will authorize Owners, Admins, Providers,
|
||||
/// and custom users with the permission specified by the permissionPicker constructor parameter. This is suitable
|
||||
/// for most requirements related to a custom permission.
|
||||
/// </summary>
|
||||
/// <param name="permissionPicker">A function that returns a custom permission which will authorize the action.</param>
|
||||
public abstract class BasePermissionRequirement(Func<Permissions, bool> permissionPicker) : IOrganizationRequirement
|
||||
{
|
||||
public async Task<bool> AuthorizeAsync(CurrentContextOrganization? organizationClaims,
|
||||
Func<Task<bool>> isProviderUserForOrg)
|
||||
=> organizationClaims switch
|
||||
{
|
||||
{ Type: OrganizationUserType.Owner } => true,
|
||||
{ Type: OrganizationUserType.Admin } => true,
|
||||
{ Type: OrganizationUserType.Custom } when permissionPicker(organizationClaims.Permissions) => true,
|
||||
_ => await isProviderUserForOrg()
|
||||
};
|
||||
}
|
||||
@@ -1,20 +0,0 @@
|
||||
#nullable enable
|
||||
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Enums;
|
||||
|
||||
namespace Bit.Api.AdminConsole.Authorization.Requirements;
|
||||
|
||||
public class ManageAccountRecoveryRequirement : IOrganizationRequirement
|
||||
{
|
||||
public async Task<bool> AuthorizeAsync(
|
||||
CurrentContextOrganization? organizationClaims,
|
||||
Func<Task<bool>> isProviderUserForOrg)
|
||||
=> organizationClaims switch
|
||||
{
|
||||
{ Type: OrganizationUserType.Owner } => true,
|
||||
{ Type: OrganizationUserType.Admin } => true,
|
||||
{ Permissions.ManageResetPassword: true } => true,
|
||||
_ => await isProviderUserForOrg()
|
||||
};
|
||||
}
|
||||
@@ -1,20 +0,0 @@
|
||||
#nullable enable
|
||||
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Enums;
|
||||
|
||||
namespace Bit.Api.AdminConsole.Authorization.Requirements;
|
||||
|
||||
public class ManageUsersRequirement : IOrganizationRequirement
|
||||
{
|
||||
public async Task<bool> AuthorizeAsync(
|
||||
CurrentContextOrganization? organizationClaims,
|
||||
Func<Task<bool>> isProviderUserForOrg)
|
||||
=> organizationClaims switch
|
||||
{
|
||||
{ Type: OrganizationUserType.Owner } => true,
|
||||
{ Type: OrganizationUserType.Admin } => true,
|
||||
{ Permissions.ManageUsers: true } => true,
|
||||
_ => await isProviderUserForOrg()
|
||||
};
|
||||
}
|
||||
@@ -0,0 +1,11 @@
|
||||
namespace Bit.Api.AdminConsole.Authorization.Requirements;
|
||||
|
||||
public class AccessEventLogsRequirement() : BasePermissionRequirement(p => p.AccessEventLogs);
|
||||
public class AccessImportExportRequirement() : BasePermissionRequirement(p => p.AccessImportExport);
|
||||
public class AccessReportsRequirement() : BasePermissionRequirement(p => p.AccessReports);
|
||||
public class ManageAccountRecoveryRequirement() : BasePermissionRequirement(p => p.ManageResetPassword);
|
||||
public class ManageGroupsRequirement() : BasePermissionRequirement(p => p.ManageGroups);
|
||||
public class ManagePoliciesRequirement() : BasePermissionRequirement(p => p.ManagePolicies);
|
||||
public class ManageScimRequirement() : BasePermissionRequirement(p => p.ManageScim);
|
||||
public class ManageSsoRequirement() : BasePermissionRequirement(p => p.ManageSso);
|
||||
public class ManageUsersRequirement() : BasePermissionRequirement(p => p.ManageUsers);
|
||||
@@ -0,0 +1,66 @@
|
||||
using Bit.Api.AdminConsole.Authorization.Requirements;
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Test.AdminConsole.AutoFixture;
|
||||
using Bit.Core.Test.AdminConsole.Helpers;
|
||||
using Bit.Test.Common.AutoFixture.Attributes;
|
||||
using Xunit;
|
||||
|
||||
namespace Bit.Api.Test.AdminConsole.Authorization.Requirements;
|
||||
|
||||
public class BasePermissionRequirementTests
|
||||
{
|
||||
[Theory, BitAutoData]
|
||||
[CurrentContextOrganizationCustomize(Type = OrganizationUserType.Owner)]
|
||||
public async Task Authorizes_Owners(CurrentContextOrganization organizationClaims)
|
||||
{
|
||||
var result = await new PermissionRequirement().AuthorizeAsync(organizationClaims, () => Task.FromResult(false));
|
||||
Assert.True(result);
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
[CurrentContextOrganizationCustomize(Type = OrganizationUserType.Admin)]
|
||||
public async Task Authorizes_Admins(CurrentContextOrganization organizationClaims)
|
||||
{
|
||||
var result = await new PermissionRequirement().AuthorizeAsync(organizationClaims, () => Task.FromResult(false));
|
||||
Assert.True(result);
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
[CurrentContextOrganizationCustomize(Type = OrganizationUserType.User)]
|
||||
public async Task Authorizes_Providers(CurrentContextOrganization organizationClaims)
|
||||
{
|
||||
var result = await new PermissionRequirement().AuthorizeAsync(organizationClaims, () => Task.FromResult(true));
|
||||
Assert.True(result);
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
[CurrentContextOrganizationCustomize(Type = OrganizationUserType.Custom)]
|
||||
public async Task Authorizes_CustomPermission(CurrentContextOrganization organizationClaims)
|
||||
{
|
||||
organizationClaims.Permissions.ManageGroups = true;
|
||||
var result = await new TestCustomPermissionRequirement().AuthorizeAsync(organizationClaims, () => Task.FromResult(false));
|
||||
Assert.True(result);
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
[CurrentContextOrganizationCustomize(Type = OrganizationUserType.User)]
|
||||
public async Task DoesNotAuthorize_Users(CurrentContextOrganization organizationClaims)
|
||||
{
|
||||
var result = await new PermissionRequirement().AuthorizeAsync(organizationClaims, () => Task.FromResult(false));
|
||||
Assert.False(result);
|
||||
}
|
||||
|
||||
[Theory, BitAutoData]
|
||||
[CurrentContextOrganizationCustomize(Type = OrganizationUserType.Custom)]
|
||||
public async Task DoesNotAuthorize_OtherCustomPermissions(CurrentContextOrganization organizationClaims)
|
||||
{
|
||||
organizationClaims.Permissions.ManageGroups = true;
|
||||
organizationClaims.Permissions = organizationClaims.Permissions.Invert();
|
||||
var result = await new TestCustomPermissionRequirement().AuthorizeAsync(organizationClaims, () => Task.FromResult(false));
|
||||
Assert.False(result);
|
||||
}
|
||||
|
||||
private class PermissionRequirement() : BasePermissionRequirement(_ => false);
|
||||
private class TestCustomPermissionRequirement() : BasePermissionRequirement(p => p.ManageGroups);
|
||||
}
|
||||
@@ -0,0 +1,88 @@
|
||||
using Bit.Api.AdminConsole.Authorization;
|
||||
using Bit.Api.AdminConsole.Authorization.Requirements;
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Models.Data;
|
||||
using Bit.Core.Test.AdminConsole.AutoFixture;
|
||||
using Bit.Core.Test.AdminConsole.Helpers;
|
||||
using Bit.Test.Common.AutoFixture.Attributes;
|
||||
using Xunit;
|
||||
|
||||
namespace Bit.Api.Test.AdminConsole.Authorization.Requirements;
|
||||
|
||||
public class PermissionRequirementsTests
|
||||
{
|
||||
/// <summary>
|
||||
/// Correlates each IOrganizationRequirement with its custom permission. If you add a new requirement,
|
||||
/// add a new entry here to have it automatically included in the tests below.
|
||||
/// </summary>
|
||||
public static IEnumerable<object[]> RequirementData => new List<object[]>
|
||||
{
|
||||
new object[] { new AccessEventLogsRequirement(), nameof(Permissions.AccessEventLogs) },
|
||||
new object[] { new AccessImportExportRequirement(), nameof(Permissions.AccessImportExport) },
|
||||
new object[] { new AccessReportsRequirement(), nameof(Permissions.AccessReports) },
|
||||
new object[] { new ManageAccountRecoveryRequirement(), nameof(Permissions.ManageResetPassword) },
|
||||
new object[] { new ManageGroupsRequirement(), nameof(Permissions.ManageGroups) },
|
||||
new object[] { new ManagePoliciesRequirement(), nameof(Permissions.ManagePolicies) },
|
||||
new object[] { new ManageScimRequirement(), nameof(Permissions.ManageScim) },
|
||||
new object[] { new ManageSsoRequirement(), nameof(Permissions.ManageSso) },
|
||||
new object[] { new ManageUsersRequirement(), nameof(Permissions.ManageUsers) },
|
||||
};
|
||||
|
||||
[Theory]
|
||||
[BitMemberAutoData(nameof(RequirementData))]
|
||||
[CurrentContextOrganizationCustomize(Type = OrganizationUserType.User)]
|
||||
public async Task Authorizes_Provider(IOrganizationRequirement requirement, string _, CurrentContextOrganization organization)
|
||||
{
|
||||
var result = await requirement.AuthorizeAsync(organization, () => Task.FromResult(true));
|
||||
Assert.True(result);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitMemberAutoData(nameof(RequirementData))]
|
||||
[CurrentContextOrganizationCustomize(Type = OrganizationUserType.Owner)]
|
||||
public async Task Authorizes_Owner(IOrganizationRequirement requirement, string _, CurrentContextOrganization organization)
|
||||
{
|
||||
var result = await requirement.AuthorizeAsync(organization, () => Task.FromResult(false));
|
||||
Assert.True(result);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitMemberAutoData(nameof(RequirementData))]
|
||||
[CurrentContextOrganizationCustomize(Type = OrganizationUserType.Admin)]
|
||||
public async Task Authorizes_Admin(IOrganizationRequirement requirement, string _, CurrentContextOrganization organization)
|
||||
{
|
||||
var result = await requirement.AuthorizeAsync(organization, () => Task.FromResult(false));
|
||||
Assert.True(result);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitMemberAutoData(nameof(RequirementData))]
|
||||
[CurrentContextOrganizationCustomize(Type = OrganizationUserType.Custom)]
|
||||
public async Task Authorizes_Custom_With_Correct_Permission(IOrganizationRequirement requirement, string permissionName, CurrentContextOrganization organization)
|
||||
{
|
||||
organization.Permissions.SetPermission(permissionName, true);
|
||||
var result = await requirement.AuthorizeAsync(organization, () => Task.FromResult(false));
|
||||
Assert.True(result);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitMemberAutoData(nameof(RequirementData))]
|
||||
[CurrentContextOrganizationCustomize(Type = OrganizationUserType.Custom)]
|
||||
public async Task DoesNotAuthorize_Custom_With_Other_Permissions(IOrganizationRequirement requirement, string permissionName, CurrentContextOrganization organization)
|
||||
{
|
||||
organization.Permissions.SetPermission(permissionName, true);
|
||||
organization.Permissions = organization.Permissions.Invert();
|
||||
var result = await requirement.AuthorizeAsync(organization, () => Task.FromResult(false));
|
||||
Assert.False(result);
|
||||
}
|
||||
|
||||
[Theory]
|
||||
[BitMemberAutoData(nameof(RequirementData))]
|
||||
[CurrentContextOrganizationCustomize(Type = OrganizationUserType.User)]
|
||||
public async Task DoesNotAuthorize_User(IOrganizationRequirement requirement, string _, CurrentContextOrganization organization)
|
||||
{
|
||||
var result = await requirement.AuthorizeAsync(organization, () => Task.FromResult(false));
|
||||
Assert.False(result);
|
||||
}
|
||||
}
|
||||
@@ -6,6 +6,23 @@ namespace Bit.Core.Test.AdminConsole.Helpers;
|
||||
|
||||
public static class PermissionsHelpers
|
||||
{
|
||||
/// <summary>
|
||||
/// Sets the specified permission.
|
||||
/// </summary>
|
||||
/// <param name="permissionName">The permission name specified as a string - using `nameof` is highly recommended.</param>
|
||||
/// <param name="value">The value to set the permission to.</param>
|
||||
/// <returns>No value; this mutates the permissions object.</returns>
|
||||
public static void SetPermission(this Permissions permissions, string permissionName, bool value)
|
||||
{
|
||||
var prop = typeof(Permissions).GetProperty(permissionName);
|
||||
if (prop == null)
|
||||
{
|
||||
throw new NullReferenceException("Invalid property name.");
|
||||
}
|
||||
|
||||
prop.SetValue(permissions, true);
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Return a new Permission object with inverted permissions.
|
||||
/// This is useful to test negative cases, e.g. "all other permissions should fail".
|
||||
|
||||
Reference in New Issue
Block a user