[PM-14378] SecurityTask Authorization Handler (#5039)

* [PM-14378] Introduce GetCipherPermissionsForOrganization query for Dapper CipherRepository * [PM-14378] Introduce GetCipherPermissionsForOrganization method for Entity Framework * [PM-14378] Add integration tests for new repository method * [PM-14378] Introduce IGetCipherPermissionsForUserQuery CQRS query * [PM-14378] Introduce SecurityTaskOperationRequirement * [PM-14378] Introduce SecurityTaskAuthorizationHandler.cs * [PM-14378] Introduce SecurityTaskOrganizationAuthorizationHandler.cs * [PM-14378] Register new authorization handlers * [PM-14378] Formatting * [PM-14378] Add unit tests for GetCipherPermissionsForUserQuery * [PM-15378] Cleanup SecurityTaskAuthorizationHandler and add tests * [PM-14378] Add tests for SecurityTaskOrganizationAuthorizationHandler * [PM-14378] Formatting * [PM-14378] Update date in migration file * [PM-14378] Add missing awaits * [PM-14378] Bump migration script date * [PM-14378] Remove Unassigned property from OrganizationCipherPermission as it was making the query too complicated * [PM-14378] Update sproc to use Union All to improve query performance * [PM-14378] Bump migration script date
2026-01-07 11:03:37 +00:00 · 2025-01-09 12:14:24 -08:00
parent fd195e7cf3
commit a99f82dddd
18 changed files with 1669 additions and 0 deletions
--- a/src/Core/Vault/Authorization/SecurityTasks/SecurityTaskAuthorizationHandler.cs
+++ b/src/Core/Vault/Authorization/SecurityTasks/SecurityTaskAuthorizationHandler.cs
@@ -0,0 +1,142 @@
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Vault.Entities;
+using Bit.Core.Vault.Models.Data;
+using Bit.Core.Vault.Queries;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Core.Vault.Authorization.SecurityTasks;
+
+public class SecurityTaskAuthorizationHandler : AuthorizationHandler<SecurityTaskOperationRequirement, SecurityTask>
+{
+    private readonly ICurrentContext _currentContext;
+    private readonly IGetCipherPermissionsForUserQuery _getCipherPermissionsForUserQuery;
+
+    private readonly Dictionary<Guid, IDictionary<Guid, OrganizationCipherPermission>> _cipherPermissionCache = new();
+
+    public SecurityTaskAuthorizationHandler(ICurrentContext currentContext, IGetCipherPermissionsForUserQuery getCipherPermissionsForUserQuery)
+    {
+        _currentContext = currentContext;
+        _getCipherPermissionsForUserQuery = getCipherPermissionsForUserQuery;
+    }
+
+    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
+        SecurityTaskOperationRequirement requirement,
+        SecurityTask task)
+    {
+        if (!_currentContext.UserId.HasValue)
+        {
+            return;
+        }
+
+        var org = _currentContext.GetOrganization(task.OrganizationId);
+
+        if (org == null)
+        {
+            // User must be a member of the organization
+            return;
+        }
+
+        var authorized = requirement switch
+        {
+            not null when requirement == SecurityTaskOperations.Read => await CanReadAsync(task, org),
+            not null when requirement == SecurityTaskOperations.Create => await CanCreateAsync(task, org),
+            not null when requirement == SecurityTaskOperations.Update => await CanUpdateAsync(task, org),
+            _ => throw new ArgumentOutOfRangeException(nameof(requirement), requirement, null)
+        };
+
+        if (authorized)
+        {
+            context.Succeed(requirement);
+        }
+    }
+
+    private async Task<bool> CanReadAsync(SecurityTask task, CurrentContextOrganization org)
+    {
+        if (!task.CipherId.HasValue)
+        {
+            // Tasks without cipher IDs are not possible currently
+            return false;
+        }
+
+        if (HasAdminAccessToSecurityTasks(org))
+        {
+            // Admins can read any task for ciphers in the organization
+            return await CipherBelongsToOrgAsync(org, task.CipherId.Value);
+        }
+
+        return await CanReadCipherForOrgAsync(org, task.CipherId.Value);
+    }
+
+    private async Task<bool> CanCreateAsync(SecurityTask task, CurrentContextOrganization org)
+    {
+        if (!task.CipherId.HasValue)
+        {
+            // Tasks without cipher IDs are not possible currently
+            return false;
+        }
+
+        if (!HasAdminAccessToSecurityTasks(org))
+        {
+            // User must be an Admin/Owner or have custom permissions for reporting
+            return false;
+        }
+
+        return await CipherBelongsToOrgAsync(org, task.CipherId.Value);
+    }
+
+    private async Task<bool> CanUpdateAsync(SecurityTask task, CurrentContextOrganization org)
+    {
+        if (!task.CipherId.HasValue)
+        {
+            // Tasks without cipher IDs are not possible currently
+            return false;
+        }
+
+        // Only users that can edit the cipher can update the task
+        return await CanEditCipherForOrgAsync(org, task.CipherId.Value);
+    }
+
+    private async Task<bool> CanEditCipherForOrgAsync(CurrentContextOrganization org, Guid cipherId)
+    {
+        var ciphers = await GetCipherPermissionsForOrgAsync(org);
+
+        return ciphers.TryGetValue(cipherId, out var cipher) && cipher.Edit;
+    }
+
+    private async Task<bool> CanReadCipherForOrgAsync(CurrentContextOrganization org, Guid cipherId)
+    {
+        var ciphers = await GetCipherPermissionsForOrgAsync(org);
+
+        return ciphers.TryGetValue(cipherId, out var cipher) && cipher.Read;
+    }
+
+    private async Task<bool> CipherBelongsToOrgAsync(CurrentContextOrganization org, Guid cipherId)
+    {
+        var ciphers = await GetCipherPermissionsForOrgAsync(org);
+
+        return ciphers.ContainsKey(cipherId);
+    }
+
+    private bool HasAdminAccessToSecurityTasks(CurrentContextOrganization org)
+    {
+        return org is
+        { Type: OrganizationUserType.Admin or OrganizationUserType.Owner } or
+        { Type: OrganizationUserType.Custom, Permissions.AccessReports: true };
+    }
+
+    private async Task<IDictionary<Guid, OrganizationCipherPermission>> GetCipherPermissionsForOrgAsync(CurrentContextOrganization organization)
+    {
+        // Re-use permissions we've already fetched for the organization
+        if (_cipherPermissionCache.TryGetValue(organization.Id, out var cachedCiphers))
+        {
+            return cachedCiphers;
+        }
+
+        var cipherPermissions = await _getCipherPermissionsForUserQuery.GetByOrganization(organization.Id);
+
+        _cipherPermissionCache.Add(organization.Id, cipherPermissions);
+
+        return cipherPermissions;
+    }
+}
--- a/src/Core/Vault/Authorization/SecurityTasks/SecurityTaskOperationRequirement.cs
+++ b/src/Core/Vault/Authorization/SecurityTasks/SecurityTaskOperationRequirement.cs
@@ -0,0 +1,27 @@
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+
+namespace Bit.Core.Vault.Authorization.SecurityTasks;
+
+public class SecurityTaskOperationRequirement : OperationAuthorizationRequirement
+{
+    public SecurityTaskOperationRequirement(string name)
+    {
+        Name = name;
+    }
+}
+
+public static class SecurityTaskOperations
+{
+    public static readonly SecurityTaskOperationRequirement Read = new SecurityTaskOperationRequirement(nameof(Read));
+    public static readonly SecurityTaskOperationRequirement Create = new SecurityTaskOperationRequirement(nameof(Create));
+    public static readonly SecurityTaskOperationRequirement Update = new SecurityTaskOperationRequirement(nameof(Update));
+
+    /// <summary>
+    /// List all security tasks for a specific organization.
+    /// <example><code>
+    /// var orgContext = _currentContext.GetOrganization(organizationId);
+    /// _authorizationService.AuthorizeOrThrowAsync(User, SecurityTaskOperations.ListAllForOrganization, orgContext);
+    /// </code></example>
+    /// </summary>
+    public static readonly SecurityTaskOperationRequirement ListAllForOrganization = new SecurityTaskOperationRequirement(nameof(ListAllForOrganization));
+}
--- a/src/Core/Vault/Authorization/SecurityTasks/SecurityTaskOrganizationAuthorizationHandler.cs
+++ b/src/Core/Vault/Authorization/SecurityTasks/SecurityTaskOrganizationAuthorizationHandler.cs
@@ -0,0 +1,47 @@
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Core.Vault.Authorization.SecurityTasks;
+
+public class
+    SecurityTaskOrganizationAuthorizationHandler : AuthorizationHandler<SecurityTaskOperationRequirement,
+    CurrentContextOrganization>
+{
+    private readonly ICurrentContext _currentContext;
+
+    public SecurityTaskOrganizationAuthorizationHandler(ICurrentContext currentContext)
+    {
+        _currentContext = currentContext;
+    }
+
+    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
+        SecurityTaskOperationRequirement requirement,
+        CurrentContextOrganization resource)
+    {
+        if (!_currentContext.UserId.HasValue)
+        {
+            return Task.CompletedTask;
+        }
+
+        var authorized = requirement switch
+        {
+            not null when requirement == SecurityTaskOperations.ListAllForOrganization => CanListAllTasksForOrganization(resource),
+            _ => throw new ArgumentOutOfRangeException(nameof(requirement), requirement, null)
+        };
+
+        if (authorized)
+        {
+            context.Succeed(requirement);
+        }
+
+        return Task.CompletedTask;
+    }
+
+    private static bool CanListAllTasksForOrganization(CurrentContextOrganization org)
+    {
+        return org is
+        { Type: OrganizationUserType.Admin or OrganizationUserType.Owner } or
+        { Type: OrganizationUserType.Custom, Permissions.AccessReports: true };
+    }
+}