mirror of
https://github.com/bitwarden/server
synced 2026-01-06 18:43:36 +00:00
[SM-378] Enable SM on a user basis (#2590)
* Add support for giving individual users access to secrets manager
This commit is contained in:
Oscar Hinton
GitHub
@@ -17,6 +17,7 @@ public class OrganizationUserInviteRequestModel
|
||||
[Required]
|
||||
public OrganizationUserType? Type { get; set; }
|
||||
public bool AccessAll { get; set; }
|
||||
public bool AccessSecretsManager { get; set; }
|
||||
public Permissions Permissions { get; set; }
|
||||
public IEnumerable<SelectionReadOnlyRequestModel> Collections { get; set; }
|
||||
public IEnumerable<Guid> Groups { get; set; }
|
||||
@@ -28,6 +29,7 @@ public class OrganizationUserInviteRequestModel
|
||||
Emails = Emails,
|
||||
Type = Type,
|
||||
AccessAll = AccessAll,
|
||||
AccessSecretsManager = AccessSecretsManager,
|
||||
Collections = Collections?.Select(c => c.ToSelectionReadOnly()),
|
||||
Groups = Groups,
|
||||
Permissions = Permissions,
|
||||
@@ -73,6 +75,7 @@ public class OrganizationUserUpdateRequestModel
|
||||
[Required]
|
||||
public OrganizationUserType? Type { get; set; }
|
||||
public bool AccessAll { get; set; }
|
||||
public bool AccessSecretsManager { get; set; }
|
||||
public Permissions Permissions { get; set; }
|
||||
public IEnumerable<SelectionReadOnlyRequestModel> Collections { get; set; }
|
||||
public IEnumerable<Guid> Groups { get; set; }
|
||||
@@ -85,6 +88,7 @@ public class OrganizationUserUpdateRequestModel
|
||||
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
|
||||
});
|
||||
existingUser.AccessAll = AccessAll;
|
||||
existingUser.AccessSecretsManager = AccessSecretsManager;
|
||||
return existingUser;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -23,6 +23,7 @@ public class OrganizationUserResponseModel : ResponseModel
|
||||
Type = organizationUser.Type;
|
||||
Status = organizationUser.Status;
|
||||
AccessAll = organizationUser.AccessAll;
|
||||
AccessSecretsManager = organizationUser.AccessSecretsManager;
|
||||
Permissions = CoreHelpers.LoadClassFromJsonData<Permissions>(organizationUser.Permissions);
|
||||
ResetPasswordEnrolled = !string.IsNullOrEmpty(organizationUser.ResetPasswordKey);
|
||||
}
|
||||
@@ -40,6 +41,7 @@ public class OrganizationUserResponseModel : ResponseModel
|
||||
Type = organizationUser.Type;
|
||||
Status = organizationUser.Status;
|
||||
AccessAll = organizationUser.AccessAll;
|
||||
AccessSecretsManager = organizationUser.AccessSecretsManager;
|
||||
Permissions = CoreHelpers.LoadClassFromJsonData<Permissions>(organizationUser.Permissions);
|
||||
ResetPasswordEnrolled = !string.IsNullOrEmpty(organizationUser.ResetPasswordKey);
|
||||
UsesKeyConnector = organizationUser.UsesKeyConnector;
|
||||
@@ -50,6 +52,7 @@ public class OrganizationUserResponseModel : ResponseModel
|
||||
public OrganizationUserType Type { get; set; }
|
||||
public OrganizationUserStatusType Status { get; set; }
|
||||
public bool AccessAll { get; set; }
|
||||
public bool AccessSecretsManager { get; set; }
|
||||
public Permissions Permissions { get; set; }
|
||||
public bool ResetPasswordEnrolled { get; set; }
|
||||
public bool UsesKeyConnector { get; set; }
|
||||
|
||||
@@ -52,6 +52,7 @@ public class ProfileOrganizationResponseModel : ResponseModel
|
||||
FamilySponsorshipLastSyncDate = organization.FamilySponsorshipLastSyncDate;
|
||||
FamilySponsorshipToDelete = organization.FamilySponsorshipToDelete;
|
||||
FamilySponsorshipValidUntil = organization.FamilySponsorshipValidUntil;
|
||||
AccessSecretsManager = organization.AccessSecretsManager;
|
||||
|
||||
if (organization.SsoConfig != null)
|
||||
{
|
||||
@@ -101,4 +102,5 @@ public class ProfileOrganizationResponseModel : ResponseModel
|
||||
public DateTime? FamilySponsorshipLastSyncDate { get; set; }
|
||||
public DateTime? FamilySponsorshipValidUntil { get; set; }
|
||||
public bool? FamilySponsorshipToDelete { get; set; }
|
||||
public bool AccessSecretsManager { get; set; }
|
||||
}
|
||||
|
||||
@@ -7,61 +7,46 @@ using Bit.Core.Exceptions;
|
||||
using Bit.Core.SecretsManager.Commands.Projects.Interfaces;
|
||||
using Bit.Core.SecretsManager.Repositories;
|
||||
using Bit.Core.Services;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
using Microsoft.AspNetCore.Mvc;
|
||||
|
||||
namespace Bit.Api.SecretsManager.Controllers;
|
||||
|
||||
[SecretsManager]
|
||||
[Authorize("secrets")]
|
||||
public class ProjectsController : Controller
|
||||
{
|
||||
private readonly ICurrentContext _currentContext;
|
||||
private readonly IUserService _userService;
|
||||
private readonly IProjectRepository _projectRepository;
|
||||
private readonly ICreateProjectCommand _createProjectCommand;
|
||||
private readonly IUpdateProjectCommand _updateProjectCommand;
|
||||
private readonly IDeleteProjectCommand _deleteProjectCommand;
|
||||
private readonly ICurrentContext _currentContext;
|
||||
|
||||
public ProjectsController(
|
||||
ICurrentContext currentContext,
|
||||
IUserService userService,
|
||||
IProjectRepository projectRepository,
|
||||
ICreateProjectCommand createProjectCommand,
|
||||
IUpdateProjectCommand updateProjectCommand,
|
||||
IDeleteProjectCommand deleteProjectCommand,
|
||||
ICurrentContext currentContext)
|
||||
IDeleteProjectCommand deleteProjectCommand)
|
||||
{
|
||||
_currentContext = currentContext;
|
||||
_userService = userService;
|
||||
_projectRepository = projectRepository;
|
||||
_createProjectCommand = createProjectCommand;
|
||||
_updateProjectCommand = updateProjectCommand;
|
||||
_deleteProjectCommand = deleteProjectCommand;
|
||||
_currentContext = currentContext;
|
||||
}
|
||||
|
||||
[HttpPost("organizations/{organizationId}/projects")]
|
||||
public async Task<ProjectResponseModel> CreateAsync([FromRoute] Guid organizationId, [FromBody] ProjectCreateRequestModel createRequest)
|
||||
[HttpGet("organizations/{organizationId}/projects")]
|
||||
public async Task<ListResponseModel<ProjectResponseModel>> ListByOrganizationAsync([FromRoute] Guid organizationId)
|
||||
{
|
||||
if (!await _currentContext.OrganizationUser(organizationId))
|
||||
if (!_currentContext.AccessSecretsManager(organizationId))
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
var result = await _createProjectCommand.CreateAsync(createRequest.ToProject(organizationId));
|
||||
return new ProjectResponseModel(result);
|
||||
}
|
||||
|
||||
[HttpPut("projects/{id}")]
|
||||
public async Task<ProjectResponseModel> UpdateProjectAsync([FromRoute] Guid id, [FromBody] ProjectUpdateRequestModel updateRequest)
|
||||
{
|
||||
var userId = _userService.GetProperUserId(User).Value;
|
||||
|
||||
var result = await _updateProjectCommand.UpdateAsync(updateRequest.ToProject(id), userId);
|
||||
return new ProjectResponseModel(result);
|
||||
}
|
||||
|
||||
[HttpGet("organizations/{organizationId}/projects")]
|
||||
public async Task<ListResponseModel<ProjectResponseModel>> GetProjectsByOrganizationAsync(
|
||||
[FromRoute] Guid organizationId)
|
||||
{
|
||||
var userId = _userService.GetProperUserId(User).Value;
|
||||
var orgAdmin = await _currentContext.OrganizationAdmin(organizationId);
|
||||
var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
|
||||
@@ -72,8 +57,29 @@ public class ProjectsController : Controller
|
||||
return new ListResponseModel<ProjectResponseModel>(responses);
|
||||
}
|
||||
|
||||
[HttpPost("organizations/{organizationId}/projects")]
|
||||
public async Task<ProjectResponseModel> CreateAsync([FromRoute] Guid organizationId, [FromBody] ProjectCreateRequestModel createRequest)
|
||||
{
|
||||
if (!_currentContext.AccessSecretsManager(organizationId))
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
var result = await _createProjectCommand.CreateAsync(createRequest.ToProject(organizationId));
|
||||
return new ProjectResponseModel(result);
|
||||
}
|
||||
|
||||
[HttpPut("projects/{id}")]
|
||||
public async Task<ProjectResponseModel> UpdateAsync([FromRoute] Guid id, [FromBody] ProjectUpdateRequestModel updateRequest)
|
||||
{
|
||||
var userId = _userService.GetProperUserId(User).Value;
|
||||
|
||||
var result = await _updateProjectCommand.UpdateAsync(updateRequest.ToProject(id), userId);
|
||||
return new ProjectResponseModel(result);
|
||||
}
|
||||
|
||||
[HttpGet("projects/{id}")]
|
||||
public async Task<ProjectResponseModel> GetProjectAsync([FromRoute] Guid id)
|
||||
public async Task<ProjectResponseModel> GetAsync([FromRoute] Guid id)
|
||||
{
|
||||
var project = await _projectRepository.GetByIdAsync(id);
|
||||
if (project == null)
|
||||
@@ -81,6 +87,11 @@ public class ProjectsController : Controller
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
if (!_currentContext.AccessSecretsManager(project.OrganizationId))
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
var userId = _userService.GetProperUserId(User).Value;
|
||||
var orgAdmin = await _currentContext.OrganizationAdmin(project.OrganizationId);
|
||||
var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
|
||||
@@ -101,7 +112,7 @@ public class ProjectsController : Controller
|
||||
}
|
||||
|
||||
[HttpPost("projects/delete")]
|
||||
public async Task<ListResponseModel<BulkDeleteResponseModel>> BulkDeleteProjectsAsync([FromBody] List<Guid> ids)
|
||||
public async Task<ListResponseModel<BulkDeleteResponseModel>> BulkDeleteAsync([FromBody] List<Guid> ids)
|
||||
{
|
||||
var userId = _userService.GetProperUserId(User).Value;
|
||||
|
||||
|
||||
@@ -1,6 +1,7 @@
|
||||
using Bit.Api.Models.Response;
|
||||
using Bit.Api.SecretsManager.Models.Request;
|
||||
using Bit.Api.SecretsManager.Models.Response;
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.SecretsManager.Commands.Secrets.Interfaces;
|
||||
using Bit.Core.SecretsManager.Repositories;
|
||||
@@ -13,30 +14,52 @@ namespace Bit.Api.SecretsManager.Controllers;
|
||||
[Authorize("secrets")]
|
||||
public class SecretsController : Controller
|
||||
{
|
||||
private readonly ICurrentContext _currentContext;
|
||||
private readonly ISecretRepository _secretRepository;
|
||||
private readonly IProjectRepository _projectRepository;
|
||||
private readonly ICreateSecretCommand _createSecretCommand;
|
||||
private readonly IUpdateSecretCommand _updateSecretCommand;
|
||||
private readonly IDeleteSecretCommand _deleteSecretCommand;
|
||||
|
||||
public SecretsController(ISecretRepository secretRepository, IProjectRepository projectRepository, ICreateSecretCommand createSecretCommand, IUpdateSecretCommand updateSecretCommand, IDeleteSecretCommand deleteSecretCommand)
|
||||
public SecretsController(
|
||||
ICurrentContext currentContext,
|
||||
ISecretRepository secretRepository,
|
||||
ICreateSecretCommand createSecretCommand,
|
||||
IUpdateSecretCommand updateSecretCommand,
|
||||
IDeleteSecretCommand deleteSecretCommand)
|
||||
{
|
||||
_currentContext = currentContext;
|
||||
_secretRepository = secretRepository;
|
||||
_projectRepository = projectRepository;
|
||||
_createSecretCommand = createSecretCommand;
|
||||
_updateSecretCommand = updateSecretCommand;
|
||||
_deleteSecretCommand = deleteSecretCommand;
|
||||
}
|
||||
|
||||
[HttpGet("organizations/{organizationId}/secrets")]
|
||||
public async Task<SecretWithProjectsListResponseModel> GetSecretsByOrganizationAsync([FromRoute] Guid organizationId)
|
||||
public async Task<SecretWithProjectsListResponseModel> ListByOrganizationAsync([FromRoute] Guid organizationId)
|
||||
{
|
||||
if (!_currentContext.AccessSecretsManager(organizationId))
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
var secrets = await _secretRepository.GetManyByOrganizationIdAsync(organizationId);
|
||||
return new SecretWithProjectsListResponseModel(secrets);
|
||||
}
|
||||
|
||||
[HttpPost("organizations/{organizationId}/secrets")]
|
||||
public async Task<SecretResponseModel> CreateAsync([FromRoute] Guid organizationId, [FromBody] SecretCreateRequestModel createRequest)
|
||||
{
|
||||
if (!_currentContext.AccessSecretsManager(organizationId))
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
var result = await _createSecretCommand.CreateAsync(createRequest.ToSecret(organizationId));
|
||||
return new SecretResponseModel(result);
|
||||
}
|
||||
|
||||
[HttpGet("secrets/{id}")]
|
||||
public async Task<SecretResponseModel> GetSecretAsync([FromRoute] Guid id)
|
||||
public async Task<SecretResponseModel> GetAsync([FromRoute] Guid id)
|
||||
{
|
||||
var secret = await _secretRepository.GetByIdAsync(id);
|
||||
if (secret == null)
|
||||
@@ -54,15 +77,8 @@ public class SecretsController : Controller
|
||||
return new SecretWithProjectsListResponseModel(secrets);
|
||||
}
|
||||
|
||||
[HttpPost("organizations/{organizationId}/secrets")]
|
||||
public async Task<SecretResponseModel> CreateSecretAsync([FromRoute] Guid organizationId, [FromBody] SecretCreateRequestModel createRequest)
|
||||
{
|
||||
var result = await _createSecretCommand.CreateAsync(createRequest.ToSecret(organizationId));
|
||||
return new SecretResponseModel(result);
|
||||
}
|
||||
|
||||
[HttpPut("secrets/{id}")]
|
||||
public async Task<SecretResponseModel> UpdateSecretAsync([FromRoute] Guid id, [FromBody] SecretUpdateRequestModel updateRequest)
|
||||
public async Task<SecretResponseModel> UpdateAsync([FromRoute] Guid id, [FromBody] SecretUpdateRequestModel updateRequest)
|
||||
{
|
||||
var result = await _updateSecretCommand.UpdateAsync(updateRequest.ToSecret(id));
|
||||
return new SecretResponseModel(result);
|
||||
|
||||
@@ -8,43 +8,50 @@ using Bit.Core.SecretsManager.Commands.AccessTokens.Interfaces;
|
||||
using Bit.Core.SecretsManager.Commands.ServiceAccounts.Interfaces;
|
||||
using Bit.Core.SecretsManager.Repositories;
|
||||
using Bit.Core.Services;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
using Microsoft.AspNetCore.Mvc;
|
||||
|
||||
namespace Bit.Api.SecretsManager.Controllers;
|
||||
|
||||
[SecretsManager]
|
||||
[Authorize("secrets")]
|
||||
[Route("service-accounts")]
|
||||
public class ServiceAccountsController : Controller
|
||||
{
|
||||
private readonly ICurrentContext _currentContext;
|
||||
private readonly IApiKeyRepository _apiKeyRepository;
|
||||
private readonly ICreateAccessTokenCommand _createAccessTokenCommand;
|
||||
private readonly ICreateServiceAccountCommand _createServiceAccountCommand;
|
||||
private readonly ICurrentContext _currentContext;
|
||||
private readonly IServiceAccountRepository _serviceAccountRepository;
|
||||
private readonly IUpdateServiceAccountCommand _updateServiceAccountCommand;
|
||||
private readonly IUserService _userService;
|
||||
|
||||
public ServiceAccountsController(
|
||||
ICurrentContext currentContext,
|
||||
IUserService userService,
|
||||
IServiceAccountRepository serviceAccountRepository,
|
||||
ICreateAccessTokenCommand createAccessTokenCommand,
|
||||
IApiKeyRepository apiKeyRepository, ICreateServiceAccountCommand createServiceAccountCommand,
|
||||
IUpdateServiceAccountCommand updateServiceAccountCommand,
|
||||
ICurrentContext currentContext)
|
||||
IUpdateServiceAccountCommand updateServiceAccountCommand)
|
||||
{
|
||||
_currentContext = currentContext;
|
||||
_userService = userService;
|
||||
_serviceAccountRepository = serviceAccountRepository;
|
||||
_apiKeyRepository = apiKeyRepository;
|
||||
_createServiceAccountCommand = createServiceAccountCommand;
|
||||
_updateServiceAccountCommand = updateServiceAccountCommand;
|
||||
_createAccessTokenCommand = createAccessTokenCommand;
|
||||
_currentContext = currentContext;
|
||||
}
|
||||
|
||||
[HttpGet("/organizations/{organizationId}/service-accounts")]
|
||||
public async Task<ListResponseModel<ServiceAccountResponseModel>> GetServiceAccountsByOrganizationAsync(
|
||||
public async Task<ListResponseModel<ServiceAccountResponseModel>> ListByOrganizationAsync(
|
||||
[FromRoute] Guid organizationId)
|
||||
{
|
||||
if (!_currentContext.AccessSecretsManager(organizationId))
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
var userId = _userService.GetProperUserId(User).Value;
|
||||
var orgAdmin = await _currentContext.OrganizationAdmin(organizationId);
|
||||
var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
|
||||
@@ -57,10 +64,10 @@ public class ServiceAccountsController : Controller
|
||||
}
|
||||
|
||||
[HttpPost("/organizations/{organizationId}/service-accounts")]
|
||||
public async Task<ServiceAccountResponseModel> CreateServiceAccountAsync([FromRoute] Guid organizationId,
|
||||
public async Task<ServiceAccountResponseModel> CreateAsync([FromRoute] Guid organizationId,
|
||||
[FromBody] ServiceAccountCreateRequestModel createRequest)
|
||||
{
|
||||
if (!await _currentContext.OrganizationUser(organizationId))
|
||||
if (!_currentContext.AccessSecretsManager(organizationId))
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
@@ -70,7 +77,7 @@ public class ServiceAccountsController : Controller
|
||||
}
|
||||
|
||||
[HttpPut("{id}")]
|
||||
public async Task<ServiceAccountResponseModel> UpdateServiceAccountAsync([FromRoute] Guid id,
|
||||
public async Task<ServiceAccountResponseModel> UpdateAsync([FromRoute] Guid id,
|
||||
[FromBody] ServiceAccountUpdateRequestModel updateRequest)
|
||||
{
|
||||
var userId = _userService.GetProperUserId(User).Value;
|
||||
@@ -89,6 +96,11 @@ public class ServiceAccountsController : Controller
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
if (!_currentContext.AccessSecretsManager(serviceAccount.OrganizationId))
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
var orgAdmin = await _currentContext.OrganizationAdmin(serviceAccount.OrganizationId);
|
||||
var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
|
||||
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Models.Data;
|
||||
using Bit.Core.Models.Data.Organizations.OrganizationUsers;
|
||||
using Bit.Core.Utilities;
|
||||
|
||||
namespace Bit.Core.Context;
|
||||
@@ -9,14 +9,16 @@ public class CurrentContentOrganization
|
||||
{
|
||||
public CurrentContentOrganization() { }
|
||||
|
||||
public CurrentContentOrganization(OrganizationUser orgUser)
|
||||
public CurrentContentOrganization(OrganizationUserOrganizationDetails orgUser)
|
||||
{
|
||||
Id = orgUser.OrganizationId;
|
||||
Type = orgUser.Type;
|
||||
Permissions = CoreHelpers.LoadClassFromJsonData<Permissions>(orgUser.Permissions);
|
||||
AccessSecretsManager = orgUser.AccessSecretsManager && orgUser.UseSecretsManager;
|
||||
}
|
||||
|
||||
public Guid Id { get; set; }
|
||||
public OrganizationUserType Type { get; set; }
|
||||
public Permissions Permissions { get; set; }
|
||||
public bool AccessSecretsManager { get; set; }
|
||||
}
|
||||
|
||||
@@ -157,6 +157,10 @@ public class CurrentContext : ICurrentContext
|
||||
|
||||
private List<CurrentContentOrganization> GetOrganizations(Dictionary<string, IEnumerable<Claim>> claimsDict, bool orgApi)
|
||||
{
|
||||
var accessSecretsManager = claimsDict.ContainsKey(Claims.SecretsManagerAccess)
|
||||
? claimsDict[Claims.SecretsManagerAccess].ToDictionary(s => s.Value, _ => true)
|
||||
: new Dictionary<string, bool>();
|
||||
|
||||
var organizations = new List<CurrentContentOrganization>();
|
||||
if (claimsDict.ContainsKey(Claims.OrganizationOwner))
|
||||
{
|
||||
@@ -164,7 +168,8 @@ public class CurrentContext : ICurrentContext
|
||||
new CurrentContentOrganization
|
||||
{
|
||||
Id = new Guid(c.Value),
|
||||
Type = OrganizationUserType.Owner
|
||||
Type = OrganizationUserType.Owner,
|
||||
AccessSecretsManager = accessSecretsManager.ContainsKey(c.Value),
|
||||
}));
|
||||
}
|
||||
else if (orgApi && OrganizationId.HasValue)
|
||||
@@ -172,7 +177,7 @@ public class CurrentContext : ICurrentContext
|
||||
organizations.Add(new CurrentContentOrganization
|
||||
{
|
||||
Id = OrganizationId.Value,
|
||||
Type = OrganizationUserType.Owner
|
||||
Type = OrganizationUserType.Owner,
|
||||
});
|
||||
}
|
||||
|
||||
@@ -182,7 +187,8 @@ public class CurrentContext : ICurrentContext
|
||||
new CurrentContentOrganization
|
||||
{
|
||||
Id = new Guid(c.Value),
|
||||
Type = OrganizationUserType.Admin
|
||||
Type = OrganizationUserType.Admin,
|
||||
AccessSecretsManager = accessSecretsManager.ContainsKey(c.Value),
|
||||
}));
|
||||
}
|
||||
|
||||
@@ -192,7 +198,8 @@ public class CurrentContext : ICurrentContext
|
||||
new CurrentContentOrganization
|
||||
{
|
||||
Id = new Guid(c.Value),
|
||||
Type = OrganizationUserType.User
|
||||
Type = OrganizationUserType.User,
|
||||
AccessSecretsManager = accessSecretsManager.ContainsKey(c.Value),
|
||||
}));
|
||||
}
|
||||
|
||||
@@ -202,7 +209,8 @@ public class CurrentContext : ICurrentContext
|
||||
new CurrentContentOrganization
|
||||
{
|
||||
Id = new Guid(c.Value),
|
||||
Type = OrganizationUserType.Manager
|
||||
Type = OrganizationUserType.Manager,
|
||||
AccessSecretsManager = accessSecretsManager.ContainsKey(c.Value),
|
||||
}));
|
||||
}
|
||||
|
||||
@@ -213,7 +221,8 @@ public class CurrentContext : ICurrentContext
|
||||
{
|
||||
Id = new Guid(c.Value),
|
||||
Type = OrganizationUserType.Custom,
|
||||
Permissions = SetOrganizationPermissionsFromClaims(c.Value, claimsDict)
|
||||
Permissions = SetOrganizationPermissionsFromClaims(c.Value, claimsDict),
|
||||
AccessSecretsManager = accessSecretsManager.ContainsKey(c.Value),
|
||||
}));
|
||||
}
|
||||
|
||||
@@ -434,12 +443,17 @@ public class CurrentContext : ICurrentContext
|
||||
return po?.ProviderId;
|
||||
}
|
||||
|
||||
public bool AccessSecretsManager(Guid orgId)
|
||||
{
|
||||
return Organizations?.Any(o => o.Id == orgId && o.AccessSecretsManager) ?? false;
|
||||
}
|
||||
|
||||
public async Task<ICollection<CurrentContentOrganization>> OrganizationMembershipAsync(
|
||||
IOrganizationUserRepository organizationUserRepository, Guid userId)
|
||||
{
|
||||
if (Organizations == null)
|
||||
{
|
||||
var userOrgs = await organizationUserRepository.GetManyByUserAsync(userId);
|
||||
var userOrgs = await organizationUserRepository.GetManyDetailsByUserAsync(userId);
|
||||
Organizations = userOrgs.Where(ou => ou.Status == OrganizationUserStatusType.Confirmed)
|
||||
.Select(ou => new CurrentContentOrganization(ou)).ToList();
|
||||
}
|
||||
|
||||
@@ -68,4 +68,5 @@ public interface ICurrentContext
|
||||
IProviderUserRepository providerUserRepository, Guid userId);
|
||||
|
||||
Task<Guid?> ProviderIdForOrg(Guid orgId);
|
||||
bool AccessSecretsManager(Guid organizationId);
|
||||
}
|
||||
|
||||
@@ -22,6 +22,7 @@ public class OrganizationUser : ITableObject<Guid>, IExternal
|
||||
public DateTime CreationDate { get; internal set; } = DateTime.UtcNow;
|
||||
public DateTime RevisionDate { get; internal set; } = DateTime.UtcNow;
|
||||
public string Permissions { get; set; }
|
||||
public bool AccessSecretsManager { get; set; }
|
||||
|
||||
public void SetNewId()
|
||||
{
|
||||
|
||||
@@ -6,6 +6,7 @@ public static class Claims
|
||||
public const string SecurityStamp = "sstamp";
|
||||
public const string Premium = "premium";
|
||||
public const string Device = "device";
|
||||
|
||||
public const string OrganizationOwner = "orgowner";
|
||||
public const string OrganizationAdmin = "orgadmin";
|
||||
public const string OrganizationManager = "orgmanager";
|
||||
@@ -14,6 +15,8 @@ public static class Claims
|
||||
public const string ProviderAdmin = "providerprovideradmin";
|
||||
public const string ProviderServiceUser = "providerserviceuser";
|
||||
|
||||
public const string SecretsManagerAccess = "accesssecretsmanager";
|
||||
|
||||
// Service Account
|
||||
public const string Organization = "organization";
|
||||
|
||||
|
||||
@@ -8,6 +8,7 @@ public class OrganizationUserInvite
|
||||
public IEnumerable<string> Emails { get; set; }
|
||||
public Enums.OrganizationUserType? Type { get; set; }
|
||||
public bool AccessAll { get; set; }
|
||||
public bool AccessSecretsManager { get; set; }
|
||||
public Permissions Permissions { get; set; }
|
||||
public IEnumerable<CollectionAccessSelection> Collections { get; set; }
|
||||
public IEnumerable<Guid> Groups { get; set; }
|
||||
@@ -19,6 +20,7 @@ public class OrganizationUserInvite
|
||||
Emails = requestModel.Emails;
|
||||
Type = requestModel.Type;
|
||||
AccessAll = requestModel.AccessAll;
|
||||
AccessSecretsManager = requestModel.AccessSecretsManager;
|
||||
Collections = requestModel.Collections;
|
||||
Groups = requestModel.Groups;
|
||||
Permissions = requestModel.Permissions;
|
||||
|
||||
@@ -7,6 +7,7 @@ public class OrganizationUserInviteData
|
||||
public IEnumerable<string> Emails { get; set; }
|
||||
public OrganizationUserType? Type { get; set; }
|
||||
public bool AccessAll { get; set; }
|
||||
public bool AccessSecretsManager { get; set; }
|
||||
public IEnumerable<CollectionAccessSelection> Collections { get; set; }
|
||||
public IEnumerable<Guid> Groups { get; set; }
|
||||
public Permissions Permissions { get; set; }
|
||||
|
||||
@@ -41,4 +41,5 @@ public class OrganizationUserOrganizationDetails
|
||||
public DateTime? FamilySponsorshipLastSyncDate { get; set; }
|
||||
public DateTime? FamilySponsorshipValidUntil { get; set; }
|
||||
public bool? FamilySponsorshipToDelete { get; set; }
|
||||
public bool AccessSecretsManager { get; set; }
|
||||
}
|
||||
|
||||
@@ -17,6 +17,7 @@ public class OrganizationUserUserDetails : IExternal, ITwoFactorProvidersUser
|
||||
public OrganizationUserStatusType Status { get; set; }
|
||||
public OrganizationUserType Type { get; set; }
|
||||
public bool AccessAll { get; set; }
|
||||
public bool AccessSecretsManager { get; set; }
|
||||
public string ExternalId { get; set; }
|
||||
public string SsoExternalId { get; set; }
|
||||
public string Permissions { get; set; }
|
||||
|
||||
@@ -1241,6 +1241,7 @@ public class OrganizationService : IOrganizationService
|
||||
Type = invite.Type.Value,
|
||||
Status = OrganizationUserStatusType.Invited,
|
||||
AccessAll = invite.AccessAll,
|
||||
AccessSecretsManager = invite.AccessSecretsManager,
|
||||
ExternalId = externalId,
|
||||
CreationDate = DateTime.UtcNow,
|
||||
RevisionDate = DateTime.UtcNow,
|
||||
|
||||
@@ -692,6 +692,15 @@ public static class CoreHelpers
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
||||
// Secrets Manager
|
||||
foreach (var org in group)
|
||||
{
|
||||
if (org.AccessSecretsManager)
|
||||
{
|
||||
claims.Add(new KeyValuePair<string, string>(Claims.SecretsManagerAccess, org.Id.ToString()));
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@@ -25,6 +25,7 @@ public class ApiResources
|
||||
Claims.OrganizationCustom,
|
||||
Claims.ProviderAdmin,
|
||||
Claims.ProviderServiceUser,
|
||||
Claims.SecretsManagerAccess,
|
||||
}),
|
||||
new(ApiScopes.Internal, new[] { JwtClaimTypes.Subject }),
|
||||
new(ApiScopes.ApiPush, new[] { JwtClaimTypes.Subject }),
|
||||
|
||||
@@ -59,7 +59,7 @@ public static class DapperHelpers
|
||||
public static DataTable ToTvp(this IEnumerable<OrganizationUser> orgUsers)
|
||||
{
|
||||
var table = new DataTable();
|
||||
table.SetTypeName("[dbo].[OrganizationUserType]");
|
||||
table.SetTypeName("[dbo].[OrganizationUserType2]");
|
||||
|
||||
var columnData = new List<(string name, Type type, Func<OrganizationUser, object> getter)>
|
||||
{
|
||||
@@ -76,6 +76,7 @@ public static class DapperHelpers
|
||||
(nameof(OrganizationUser.RevisionDate), typeof(DateTime), ou => ou.RevisionDate),
|
||||
(nameof(OrganizationUser.Permissions), typeof(string), ou => ou.Permissions),
|
||||
(nameof(OrganizationUser.ResetPasswordKey), typeof(string), ou => ou.ResetPasswordKey),
|
||||
(nameof(OrganizationUser.AccessSecretsManager), typeof(bool), ou => ou.AccessSecretsManager),
|
||||
};
|
||||
|
||||
return orgUsers.BuildTable(table, columnData);
|
||||
|
||||
@@ -405,7 +405,7 @@ public class OrganizationUserRepository : Repository<OrganizationUser, Guid>, IO
|
||||
using (var connection = new SqlConnection(_marsConnectionString))
|
||||
{
|
||||
var results = await connection.ExecuteAsync(
|
||||
$"[{Schema}].[{Table}_CreateMany]",
|
||||
$"[{Schema}].[{Table}_CreateMany2]",
|
||||
new { OrganizationUsersInput = orgUsersTVP },
|
||||
commandType: CommandType.StoredProcedure);
|
||||
}
|
||||
@@ -424,7 +424,7 @@ public class OrganizationUserRepository : Repository<OrganizationUser, Guid>, IO
|
||||
using (var connection = new SqlConnection(_marsConnectionString))
|
||||
{
|
||||
var results = await connection.ExecuteAsync(
|
||||
$"[{Schema}].[{Table}_UpdateMany]",
|
||||
$"[{Schema}].[{Table}_UpdateMany2]",
|
||||
new { OrganizationUsersInput = orgUsersTVP },
|
||||
commandType: CommandType.StoredProcedure);
|
||||
}
|
||||
|
||||
@@ -37,6 +37,7 @@ public class OrganizationUserOrganizationDetailsViewQuery : IQuery<OrganizationU
|
||||
Use2fa = o.Use2fa,
|
||||
UseApi = o.UseApi,
|
||||
UseResetPassword = o.UseResetPassword,
|
||||
UseSecretsManager = o.UseSecretsManager,
|
||||
SelfHost = o.SelfHost,
|
||||
UsersGetPremium = o.UsersGetPremium,
|
||||
UseCustomPermissions = o.UseCustomPermissions,
|
||||
@@ -58,7 +59,8 @@ public class OrganizationUserOrganizationDetailsViewQuery : IQuery<OrganizationU
|
||||
FamilySponsorshipFriendlyName = os.FriendlyName,
|
||||
FamilySponsorshipLastSyncDate = os.LastSyncDate,
|
||||
FamilySponsorshipToDelete = os.ToDelete,
|
||||
FamilySponsorshipValidUntil = os.ValidUntil
|
||||
FamilySponsorshipValidUntil = os.ValidUntil,
|
||||
AccessSecretsManager = ou.AccessSecretsManager,
|
||||
};
|
||||
return query;
|
||||
}
|
||||
|
||||
@@ -29,6 +29,7 @@ public class OrganizationUserUserDetailsViewQuery : IQuery<OrganizationUserUserD
|
||||
Permissions = x.ou.Permissions,
|
||||
ResetPasswordKey = x.ou.ResetPasswordKey,
|
||||
UsesKeyConnector = x.u != null && x.u.UsesKeyConnector,
|
||||
AccessSecretsManager = x.ou.AccessSecretsManager,
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
@@ -238,6 +238,7 @@
|
||||
<Build Include="dbo\Stored Procedures\OrganizationUser_Activate.sql" />
|
||||
<Build Include="dbo\Stored Procedures\OrganizationUser_Create.sql" />
|
||||
<Build Include="dbo\Stored Procedures\OrganizationUser_CreateMany.sql" />
|
||||
<Build Include="dbo\Stored Procedures\OrganizationUser_CreateMany2.sql" />
|
||||
<Build Include="dbo\Stored Procedures\OrganizationUser_CreateWithCollections.sql" />
|
||||
<Build Include="dbo\Stored Procedures\OrganizationUser_Deactivate.sql" />
|
||||
<Build Include="dbo\Stored Procedures\OrganizationUser_DeleteById.sql" />
|
||||
@@ -258,6 +259,7 @@
|
||||
<Build Include="dbo\Stored Procedures\OrganizationUser_SelectKnownEmails.sql" />
|
||||
<Build Include="dbo\Stored Procedures\OrganizationUser_Update.sql" />
|
||||
<Build Include="dbo\Stored Procedures\OrganizationUser_UpdateMany.sql" />
|
||||
<Build Include="dbo\Stored Procedures\OrganizationUser_UpdateMany2.sql" />
|
||||
<Build Include="dbo\Stored Procedures\OrganizationUser_UpdateWithCollections.sql" />
|
||||
<Build Include="dbo\Stored Procedures\Organization_Create.sql" />
|
||||
<Build Include="dbo\Stored Procedures\Organization_DeleteById.sql" />
|
||||
@@ -400,6 +402,7 @@
|
||||
<Build Include="dbo\User Defined Types\GuidIdArray.sql" />
|
||||
<Build Include="dbo\User Defined Types\OrganizationSponsorshipType.sql" />
|
||||
<Build Include="dbo\User Defined Types\OrganizationUserType.sql" />
|
||||
<Build Include="dbo\User Defined Types\OrganizationUserType2.sql" />
|
||||
<Build Include="dbo\User Defined Types\SelectionReadOnlyArray.sql" />
|
||||
<Build Include="dbo\User Defined Types\TwoGuidIdArray.sql" />
|
||||
<Build Include="dbo\Views\AuthRequestView.sql" />
|
||||
|
||||
@@ -11,7 +11,8 @@
|
||||
@CreationDate DATETIME2(7),
|
||||
@RevisionDate DATETIME2(7),
|
||||
@Permissions NVARCHAR(MAX),
|
||||
@ResetPasswordKey VARCHAR(MAX)
|
||||
@ResetPasswordKey VARCHAR(MAX),
|
||||
@AccessSecretsManager BIT = 0
|
||||
AS
|
||||
BEGIN
|
||||
SET NOCOUNT ON
|
||||
@@ -30,7 +31,8 @@ BEGIN
|
||||
[CreationDate],
|
||||
[RevisionDate],
|
||||
[Permissions],
|
||||
[ResetPasswordKey]
|
||||
[ResetPasswordKey],
|
||||
[AccessSecretsManager]
|
||||
)
|
||||
VALUES
|
||||
(
|
||||
@@ -46,6 +48,7 @@ BEGIN
|
||||
@CreationDate,
|
||||
@RevisionDate,
|
||||
@Permissions,
|
||||
@ResetPasswordKey
|
||||
@ResetPasswordKey,
|
||||
@AccessSecretsManager
|
||||
)
|
||||
END
|
||||
|
||||
@@ -0,0 +1,42 @@
|
||||
CREATE PROCEDURE [dbo].[OrganizationUser_CreateMany2]
|
||||
@OrganizationUsersInput [dbo].[OrganizationUserType2] READONLY
|
||||
AS
|
||||
BEGIN
|
||||
SET NOCOUNT ON
|
||||
|
||||
INSERT INTO [dbo].[OrganizationUser]
|
||||
(
|
||||
[Id],
|
||||
[OrganizationId],
|
||||
[UserId],
|
||||
[Email],
|
||||
[Key],
|
||||
[Status],
|
||||
[Type],
|
||||
[AccessAll],
|
||||
[ExternalId],
|
||||
[CreationDate],
|
||||
[RevisionDate],
|
||||
[Permissions],
|
||||
[ResetPasswordKey],
|
||||
[AccessSecretsManager]
|
||||
)
|
||||
SELECT
|
||||
OU.[Id],
|
||||
OU.[OrganizationId],
|
||||
OU.[UserId],
|
||||
OU.[Email],
|
||||
OU.[Key],
|
||||
OU.[Status],
|
||||
OU.[Type],
|
||||
OU.[AccessAll],
|
||||
OU.[ExternalId],
|
||||
OU.[CreationDate],
|
||||
OU.[RevisionDate],
|
||||
OU.[Permissions],
|
||||
OU.[ResetPasswordKey],
|
||||
OU.[AccessSecretsManager]
|
||||
FROM
|
||||
@OrganizationUsersInput OU
|
||||
END
|
||||
GO
|
||||
@@ -12,12 +12,13 @@
|
||||
@RevisionDate DATETIME2(7),
|
||||
@Permissions NVARCHAR(MAX),
|
||||
@ResetPasswordKey VARCHAR(MAX),
|
||||
@Collections AS [dbo].[SelectionReadOnlyArray] READONLY
|
||||
@Collections AS [dbo].[SelectionReadOnlyArray] READONLY,
|
||||
@AccessSecretsManager BIT = 0
|
||||
AS
|
||||
BEGIN
|
||||
SET NOCOUNT ON
|
||||
|
||||
EXEC [dbo].[OrganizationUser_Create] @Id, @OrganizationId, @UserId, @Email, @Key, @Status, @Type, @AccessAll, @ExternalId, @CreationDate, @RevisionDate, @Permissions, @ResetPasswordKey
|
||||
EXEC [dbo].[OrganizationUser_Create] @Id, @OrganizationId, @UserId, @Email, @Key, @Status, @Type, @AccessAll, @ExternalId, @CreationDate, @RevisionDate, @Permissions, @ResetPasswordKey, @AccessSecretsManager
|
||||
|
||||
;WITH [AvailableCollectionsCTE] AS(
|
||||
SELECT
|
||||
|
||||
@@ -11,7 +11,8 @@
|
||||
@CreationDate DATETIME2(7),
|
||||
@RevisionDate DATETIME2(7),
|
||||
@Permissions NVARCHAR(MAX),
|
||||
@ResetPasswordKey VARCHAR(MAX)
|
||||
@ResetPasswordKey VARCHAR(MAX),
|
||||
@AccessSecretsManager BIT = 0
|
||||
AS
|
||||
BEGIN
|
||||
SET NOCOUNT ON
|
||||
@@ -30,7 +31,8 @@ BEGIN
|
||||
[CreationDate] = @CreationDate,
|
||||
[RevisionDate] = @RevisionDate,
|
||||
[Permissions] = @Permissions,
|
||||
[ResetPasswordKey] = @ResetPasswordKey
|
||||
[ResetPasswordKey] = @ResetPasswordKey,
|
||||
[AccessSecretsManager] = @AccessSecretsManager
|
||||
WHERE
|
||||
[Id] = @Id
|
||||
|
||||
|
||||
@@ -0,0 +1,34 @@
|
||||
CREATE PROCEDURE [dbo].[OrganizationUser_UpdateMany2]
|
||||
@OrganizationUsersInput [dbo].[OrganizationUserType2] READONLY
|
||||
AS
|
||||
BEGIN
|
||||
SET NOCOUNT ON
|
||||
|
||||
UPDATE
|
||||
OU
|
||||
SET
|
||||
[OrganizationId] = OUI.[OrganizationId],
|
||||
[UserId] = OUI.[UserId],
|
||||
[Email] = OUI.[Email],
|
||||
[Key] = OUI.[Key],
|
||||
[Status] = OUI.[Status],
|
||||
[Type] = OUI.[Type],
|
||||
[AccessAll] = OUI.[AccessAll],
|
||||
[ExternalId] = OUI.[ExternalId],
|
||||
[CreationDate] = OUI.[CreationDate],
|
||||
[RevisionDate] = OUI.[RevisionDate],
|
||||
[Permissions] = OUI.[Permissions],
|
||||
[ResetPasswordKey] = OUI.[ResetPasswordKey],
|
||||
[AccessSecretsManager] = OUI.[AccessSecretsManager]
|
||||
FROM
|
||||
[dbo].[OrganizationUser] OU
|
||||
INNER JOIN
|
||||
@OrganizationUsersInput OUI ON OU.Id = OUI.Id
|
||||
|
||||
EXEC [dbo].[User_BumpManyAccountRevisionDates]
|
||||
(
|
||||
SELECT UserId
|
||||
FROM @OrganizationUsersInput
|
||||
)
|
||||
END
|
||||
GO
|
||||
@@ -12,12 +12,13 @@
|
||||
@RevisionDate DATETIME2(7),
|
||||
@Permissions NVARCHAR(MAX),
|
||||
@ResetPasswordKey VARCHAR(MAX),
|
||||
@Collections AS [dbo].[SelectionReadOnlyArray] READONLY
|
||||
@Collections AS [dbo].[SelectionReadOnlyArray] READONLY,
|
||||
@AccessSecretsManager BIT = 0
|
||||
AS
|
||||
BEGIN
|
||||
SET NOCOUNT ON
|
||||
|
||||
EXEC [dbo].[OrganizationUser_Update] @Id, @OrganizationId, @UserId, @Email, @Key, @Status, @Type, @AccessAll, @ExternalId, @CreationDate, @RevisionDate, @Permissions, @ResetPasswordKey
|
||||
EXEC [dbo].[OrganizationUser_Update] @Id, @OrganizationId, @UserId, @Email, @Key, @Status, @Type, @AccessAll, @ExternalId, @CreationDate, @RevisionDate, @Permissions, @ResetPasswordKey, @AccessSecretsManager
|
||||
-- Update
|
||||
UPDATE
|
||||
[Target]
|
||||
|
||||
@@ -12,6 +12,7 @@
|
||||
[CreationDate] DATETIME2 (7) NOT NULL,
|
||||
[RevisionDate] DATETIME2 (7) NOT NULL,
|
||||
[Permissions] NVARCHAR (MAX) NULL,
|
||||
[AccessSecretsManager] BIT NOT NULL CONSTRAINT [DF_OrganizationUser_SecretsManager] DEFAULT (0),
|
||||
CONSTRAINT [PK_OrganizationUser] PRIMARY KEY CLUSTERED ([Id] ASC),
|
||||
CONSTRAINT [FK_OrganizationUser_Organization] FOREIGN KEY ([OrganizationId]) REFERENCES [dbo].[Organization] ([Id]) ON DELETE CASCADE,
|
||||
CONSTRAINT [FK_OrganizationUser_User] FOREIGN KEY ([UserId]) REFERENCES [dbo].[User] ([Id])
|
||||
|
||||
16
src/Sql/dbo/User Defined Types/OrganizationUserType2.sql
Normal file
16
src/Sql/dbo/User Defined Types/OrganizationUserType2.sql
Normal file
@@ -0,0 +1,16 @@
|
||||
CREATE TYPE [dbo].[OrganizationUserType2] AS TABLE(
|
||||
[Id] UNIQUEIDENTIFIER,
|
||||
[OrganizationId] UNIQUEIDENTIFIER,
|
||||
[UserId] UNIQUEIDENTIFIER,
|
||||
[Email] NVARCHAR(256),
|
||||
[Key] VARCHAR(MAX),
|
||||
[Status] SMALLINT,
|
||||
[Type] TINYINT,
|
||||
[AccessAll] BIT,
|
||||
[ExternalId] NVARCHAR(300),
|
||||
[CreationDate] DATETIME2(7),
|
||||
[RevisionDate] DATETIME2(7),
|
||||
[Permissions] NVARCHAR(MAX),
|
||||
[ResetPasswordKey] VARCHAR(MAX),
|
||||
[AccessSecretsManager] BIT
|
||||
)
|
||||
@@ -39,7 +39,8 @@ SELECT
|
||||
OS.[FriendlyName] FamilySponsorshipFriendlyName,
|
||||
OS.[LastSyncDate] FamilySponsorshipLastSyncDate,
|
||||
OS.[ToDelete] FamilySponsorshipToDelete,
|
||||
OS.[ValidUntil] FamilySponsorshipValidUntil
|
||||
OS.[ValidUntil] FamilySponsorshipValidUntil,
|
||||
OU.[AccessSecretsManager]
|
||||
FROM
|
||||
[dbo].[OrganizationUser] OU
|
||||
LEFT JOIN
|
||||
|
||||
@@ -11,6 +11,7 @@ SELECT
|
||||
OU.[Status],
|
||||
OU.[Type],
|
||||
OU.[AccessAll],
|
||||
OU.[AccessSecretsManager],
|
||||
OU.[ExternalId],
|
||||
SU.[ExternalId] SsoExternalId,
|
||||
OU.[Permissions],
|
||||
|
||||
@@ -0,0 +1,2 @@
|
||||
-- Created 2023-01
|
||||
-- DELETE FILE
|
||||
@@ -0,0 +1,2 @@
|
||||
-- Created 2023-01
|
||||
-- DELETE FILE
|
||||
@@ -0,0 +1,2 @@
|
||||
-- Created 2023-01
|
||||
-- DELETE FILE
|
||||
Reference in New Issue
Block a user