[SM-429] Add permission checks to access policy endpoints (#2628)

* Add permission checks to access policy endpoints * Fix unit tests * Add service account grant permission checks * Add service account grant tests * Add new endpoint unit tests * Cleanup unit tests add integration tests * User permission enum in create tests * Swap to NotFoundException for access checks * Add filter for potential grantees * Add in AccessSecretsManager check and test it * Add code review updates * Code review updates * Refactor potential grantees endpoint * Code review updates
2026-01-02 08:33:48 +00:00 · 2023-02-06 11:26:06 -06:00
parent 9110efa44e
commit cf669286ed
20 changed files with 1710 additions and 146 deletions
--- a/src/Core/SecretsManager/Entities/AccessPolicy.cs
+++ b/src/Core/SecretsManager/Entities/AccessPolicy.cs
@@ -24,34 +24,39 @@ public abstract class BaseAccessPolicy
 public class UserProjectAccessPolicy : BaseAccessPolicy
 {
    public Guid? OrganizationUserId { get; set; }
-    public Guid? GrantedProjectId { get; set; }
    public User? User { get; set; }
+    public Guid? GrantedProjectId { get; set; }
+    public Project? GrantedProject { get; set; }
 }

 public class UserServiceAccountAccessPolicy : BaseAccessPolicy
 {
    public Guid? OrganizationUserId { get; set; }
-    public Guid? GrantedServiceAccountId { get; set; }
    public User? User { get; set; }
+    public Guid? GrantedServiceAccountId { get; set; }
+    public ServiceAccount? GrantedServiceAccount { get; set; }
 }

 public class GroupProjectAccessPolicy : BaseAccessPolicy
 {
    public Guid? GroupId { get; set; }
-    public Guid? GrantedProjectId { get; set; }
    public Group? Group { get; set; }
+    public Guid? GrantedProjectId { get; set; }
+    public Project? GrantedProject { get; set; }
 }

 public class GroupServiceAccountAccessPolicy : BaseAccessPolicy
 {
    public Guid? GroupId { get; set; }
-    public Guid? GrantedServiceAccountId { get; set; }
    public Group? Group { get; set; }
+    public Guid? GrantedServiceAccountId { get; set; }
+    public ServiceAccount? GrantedServiceAccount { get; set; }
 }

 public class ServiceAccountProjectAccessPolicy : BaseAccessPolicy
 {
    public Guid? ServiceAccountId { get; set; }
-    public Guid? GrantedProjectId { get; set; }
    public ServiceAccount? ServiceAccount { get; set; }
+    public Guid? GrantedProjectId { get; set; }
+    public Project? GrantedProject { get; set; }
 }