[SM-909] Add service-account people access policy management endpoints (#3324)

* refactoring replace logic * model for policies + authz handler + unit tests * update AP repository * add new endpoints to controller * update unit tests and integration tests --------- Co-authored-by: cd-bitwarden <106776772+cd-bitwarden@users.noreply.github.com>
2025-12-27 13:43:18 +00:00 · 2023-12-07 15:35:16 -06:00
parent a589af3588
commit f9232bcbb0
19 changed files with 1154 additions and 626 deletions
--- a/src/Api/SecretsManager/Models/Request/PeopleAccessPoliciesRequestModel.cs
+++ b/src/Api/SecretsManager/Models/Request/PeopleAccessPoliciesRequestModel.cs
@@ -61,4 +61,39 @@ public class PeopleAccessPoliciesRequestModel
            GroupAccessPolicies = groupAccessPolicies
        };
    }
+
+    public ServiceAccountPeopleAccessPolicies ToServiceAccountPeopleAccessPolicies(Guid grantedServiceAccountId, Guid organizationId)
+    {
+        var userAccessPolicies = UserAccessPolicyRequests?
+            .Select(x => x.ToUserServiceAccountAccessPolicy(grantedServiceAccountId, organizationId)).ToList();
+
+        var groupAccessPolicies = GroupAccessPolicyRequests?
+            .Select(x => x.ToGroupServiceAccountAccessPolicy(grantedServiceAccountId, organizationId)).ToList();
+
+        var policies = new List<BaseAccessPolicy>();
+        if (userAccessPolicies != null)
+        {
+            policies.AddRange(userAccessPolicies);
+        }
+
+        if (groupAccessPolicies != null)
+        {
+            policies.AddRange(groupAccessPolicies);
+        }
+
+        CheckForDistinctAccessPolicies(policies);
+
+        if (!policies.All(ap => ap.Read && ap.Write))
+        {
+            throw new BadRequestException("Service account access must be Can read, write");
+        }
+
+        return new ServiceAccountPeopleAccessPolicies
+        {
+            Id = grantedServiceAccountId,
+            OrganizationId = organizationId,
+            UserAccessPolicies = userAccessPolicies,
+            GroupAccessPolicies = groupAccessPolicies
+        };
+    }
 }
--- a/src/Api/SecretsManager/Models/Response/AccessPolicyResponseModel.cs
+++ b/src/Api/SecretsManager/Models/Response/AccessPolicyResponseModel.cs
@@ -69,10 +69,14 @@ public class UserServiceAccountAccessPolicyResponseModel : BaseAccessPolicyRespo
    public UserServiceAccountAccessPolicyResponseModel(UserServiceAccountAccessPolicy accessPolicy)
        : base(accessPolicy, _objectName)
    {
-        OrganizationUserId = accessPolicy.OrganizationUserId;
-        GrantedServiceAccountId = accessPolicy.GrantedServiceAccountId;
-        OrganizationUserName = GetUserDisplayName(accessPolicy.User);
-        UserId = accessPolicy.User?.Id;
+        SetProperties(accessPolicy);
+    }
+
+    public UserServiceAccountAccessPolicyResponseModel(UserServiceAccountAccessPolicy accessPolicy, Guid userId)
+        : base(accessPolicy, _objectName)
+    {
+        SetProperties(accessPolicy);
+        CurrentUser = accessPolicy.User?.Id == userId;
    }

    public UserServiceAccountAccessPolicyResponseModel() : base(new UserServiceAccountAccessPolicy(), _objectName)
@@ -83,6 +87,15 @@ public class UserServiceAccountAccessPolicyResponseModel : BaseAccessPolicyRespo
    public string? OrganizationUserName { get; set; }
    public Guid? UserId { get; set; }
    public Guid? GrantedServiceAccountId { get; set; }
+    public bool CurrentUser { get; set; }
+
+    private void SetProperties(UserServiceAccountAccessPolicy accessPolicy)
+    {
+        OrganizationUserId = accessPolicy.OrganizationUserId;
+        GrantedServiceAccountId = accessPolicy.GrantedServiceAccountId;
+        OrganizationUserName = GetUserDisplayName(accessPolicy.User);
+        UserId = accessPolicy.User?.Id;
+    }
 }

 public class GroupProjectAccessPolicyResponseModel : BaseAccessPolicyResponseModel
--- a/src/Api/SecretsManager/Models/Response/ServiceAccountPeopleAccessPoliciesResponseModel.cs
+++ b/src/Api/SecretsManager/Models/Response/ServiceAccountPeopleAccessPoliciesResponseModel.cs
@@ -3,11 +3,11 @@ using Bit.Core.SecretsManager.Entities;

 namespace Bit.Api.SecretsManager.Models.Response;

-public class ServiceAccountAccessPoliciesResponseModel : ResponseModel
+public class ServiceAccountPeopleAccessPoliciesResponseModel : ResponseModel
 {
    private const string _objectName = "serviceAccountAccessPolicies";

-    public ServiceAccountAccessPoliciesResponseModel(IEnumerable<BaseAccessPolicy> baseAccessPolicies)
+    public ServiceAccountPeopleAccessPoliciesResponseModel(IEnumerable<BaseAccessPolicy> baseAccessPolicies, Guid userId)
        : base(_objectName)
    {
        if (baseAccessPolicies == null)
@@ -20,7 +20,7 @@ public class ServiceAccountAccessPoliciesResponseModel : ResponseModel
            switch (baseAccessPolicy)
            {
                case UserServiceAccountAccessPolicy accessPolicy:
-                    UserAccessPolicies.Add(new UserServiceAccountAccessPolicyResponseModel(accessPolicy));
+                    UserAccessPolicies.Add(new UserServiceAccountAccessPolicyResponseModel(accessPolicy, userId));
                    break;
                case GroupServiceAccountAccessPolicy accessPolicy:
                    GroupAccessPolicies.Add(new GroupServiceAccountAccessPolicyResponseModel(accessPolicy));
@@ -29,7 +29,7 @@ public class ServiceAccountAccessPoliciesResponseModel : ResponseModel
        }
    }

-    public ServiceAccountAccessPoliciesResponseModel() : base(_objectName)
+    public ServiceAccountPeopleAccessPoliciesResponseModel() : base(_objectName)
    {
    }