[SM-910] Add service account granted policies management endpoints (#3736)

* Add the ability to get multi projects access * Add access policy helper + tests * Add new data/request models * Add access policy operations to repo * Add authz handler for new operations * Add new controller endpoints * add updating service account revision
2025-12-18 17:23:28 +00:00 · 2024-05-01 11:47:11 -05:00
parent a14646eaad
commit ebd88393c8
28 changed files with 1772 additions and 578 deletions
--- a/src/Core/SecretsManager/Models/Data/AccessPolicyUpdates/ServiceAccountProjectAccessPolicyUpdate.cs
+++ b/src/Core/SecretsManager/Models/Data/AccessPolicyUpdates/ServiceAccountProjectAccessPolicyUpdate.cs
@@ -0,0 +1,11 @@
+#nullable enable
+using Bit.Core.SecretsManager.Entities;
+using Bit.Core.SecretsManager.Enums.AccessPolicies;
+
+namespace Bit.Core.SecretsManager.Models.Data.AccessPolicyUpdates;
+
+public class ServiceAccountProjectAccessPolicyUpdate
+{
+    public AccessPolicyOperation Operation { get; set; }
+    public required ServiceAccountProjectAccessPolicy AccessPolicy { get; set; }
+}
--- a/src/Core/SecretsManager/Models/Data/ServiceAccountGrantedPolicies.cs
+++ b/src/Core/SecretsManager/Models/Data/ServiceAccountGrantedPolicies.cs
@@ -0,0 +1,83 @@
+#nullable enable
+using Bit.Core.SecretsManager.Entities;
+using Bit.Core.SecretsManager.Enums.AccessPolicies;
+using Bit.Core.SecretsManager.Models.Data.AccessPolicyUpdates;
+
+namespace Bit.Core.SecretsManager.Models.Data;
+
+public class ServiceAccountGrantedPolicies
+{
+    public ServiceAccountGrantedPolicies(Guid serviceAccountId, IEnumerable<BaseAccessPolicy> policies)
+    {
+        ServiceAccountId = serviceAccountId;
+        ProjectGrantedPolicies = policies.Where(x => x is ServiceAccountProjectAccessPolicy)
+            .Cast<ServiceAccountProjectAccessPolicy>().ToList();
+
+        var serviceAccount = ProjectGrantedPolicies.FirstOrDefault()?.ServiceAccount;
+        if (serviceAccount != null)
+        {
+            OrganizationId = serviceAccount.OrganizationId;
+        }
+    }
+
+    public ServiceAccountGrantedPolicies()
+    {
+    }
+
+    public Guid ServiceAccountId { get; set; }
+    public Guid OrganizationId { get; set; }
+
+    public IEnumerable<ServiceAccountProjectAccessPolicy> ProjectGrantedPolicies { get; set; } =
+        new List<ServiceAccountProjectAccessPolicy>();
+
+    public ServiceAccountGrantedPoliciesUpdates GetPolicyUpdates(ServiceAccountGrantedPolicies requested)
+    {
+        var currentProjectIds = ProjectGrantedPolicies.Select(p => p.GrantedProjectId!.Value).ToList();
+        var requestedProjectIds = requested.ProjectGrantedPolicies.Select(p => p.GrantedProjectId!.Value).ToList();
+
+        var projectIdsToBeDeleted = currentProjectIds.Except(requestedProjectIds).ToList();
+        var projectIdsToBeCreated = requestedProjectIds.Except(currentProjectIds).ToList();
+        var projectIdsToBeUpdated = GetProjectIdsToBeUpdated(requested);
+
+        var policiesToBeDeleted =
+            CreatePolicyUpdates(ProjectGrantedPolicies, projectIdsToBeDeleted, AccessPolicyOperation.Delete);
+        var policiesToBeCreated = CreatePolicyUpdates(requested.ProjectGrantedPolicies, projectIdsToBeCreated,
+            AccessPolicyOperation.Create);
+        var policiesToBeUpdated = CreatePolicyUpdates(requested.ProjectGrantedPolicies, projectIdsToBeUpdated,
+            AccessPolicyOperation.Update);
+
+        return new ServiceAccountGrantedPoliciesUpdates
+        {
+            OrganizationId = OrganizationId,
+            ServiceAccountId = ServiceAccountId,
+            ProjectGrantedPolicyUpdates =
+                policiesToBeDeleted.Concat(policiesToBeCreated).Concat(policiesToBeUpdated)
+        };
+    }
+
+    private static List<ServiceAccountProjectAccessPolicyUpdate> CreatePolicyUpdates(
+        IEnumerable<ServiceAccountProjectAccessPolicy> policies, List<Guid> projectIds,
+        AccessPolicyOperation operation) =>
+        policies
+            .Where(ap => projectIds.Contains(ap.GrantedProjectId!.Value))
+            .Select(ap => new ServiceAccountProjectAccessPolicyUpdate { Operation = operation, AccessPolicy = ap })
+            .ToList();
+
+    private List<Guid> GetProjectIdsToBeUpdated(ServiceAccountGrantedPolicies requested) =>
+        ProjectGrantedPolicies
+            .Where(currentAp => requested.ProjectGrantedPolicies.Any(requestedAp =>
+                requestedAp.GrantedProjectId == currentAp.GrantedProjectId &&
+                requestedAp.ServiceAccountId == currentAp.ServiceAccountId &&
+                (requestedAp.Write != currentAp.Write || requestedAp.Read != currentAp.Read)))
+            .Select(ap => ap.GrantedProjectId!.Value)
+            .ToList();
+}
+
+public class ServiceAccountGrantedPoliciesUpdates
+{
+    public Guid ServiceAccountId { get; set; }
+    public Guid OrganizationId { get; set; }
+
+    public IEnumerable<ServiceAccountProjectAccessPolicyUpdate> ProjectGrantedPolicyUpdates { get; set; } =
+        new List<ServiceAccountProjectAccessPolicyUpdate>();
+}
--- a/src/Core/SecretsManager/Models/Data/ServiceAccountGrantedPoliciesPermissionDetails.cs
+++ b/src/Core/SecretsManager/Models/Data/ServiceAccountGrantedPoliciesPermissionDetails.cs
@@ -0,0 +1,17 @@
+#nullable enable
+using Bit.Core.SecretsManager.Entities;
+
+namespace Bit.Core.SecretsManager.Models.Data;
+
+public class ServiceAccountGrantedPoliciesPermissionDetails
+{
+    public Guid ServiceAccountId { get; set; }
+    public Guid OrganizationId { get; set; }
+    public required IEnumerable<ServiceAccountProjectAccessPolicyPermissionDetails> ProjectGrantedPolicies { get; set; }
+}
+
+public class ServiceAccountProjectAccessPolicyPermissionDetails
+{
+    public required ServiceAccountProjectAccessPolicy AccessPolicy { get; set; }
+    public bool HasPermission { get; set; }
+}