bitwarden/server
1
0
Fork 0
mirror of https://github.com/bitwarden/server synced 2025-12-12 14:23:38 +00:00
Code Issues Releases Wiki Activity
Files
cd3a45c8c6ce1db3100d1c9732fc539c5693904a
server/src/Api/SecretsManager/Controllers/AccessPoliciesController.cs
Thomas Avery cd3a45c8c6 [SM-1030] Cleanup old access policy management code (#4015) 
* Remove access selector code

* Cleanup integration tests
2024-05-06 14:56:58 -05:00

321 lines
14 KiB
C#
Raw Blame History

using Bit.Api.Models.Response;
using Bit.Api.SecretsManager.Models.Request;
using Bit.Api.SecretsManager.Models.Response;
using Bit.Core.Context;
using Bit.Core.Enums;
using Bit.Core.Exceptions;
using Bit.Core.SecretsManager.AuthorizationRequirements;
using Bit.Core.SecretsManager.Commands.AccessPolicies.Interfaces;
using Bit.Core.SecretsManager.Entities;
using Bit.Core.SecretsManager.Queries.AccessPolicies.Interfaces;
using Bit.Core.SecretsManager.Queries.Interfaces;
using Bit.Core.SecretsManager.Repositories;
using Bit.Core.Services;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
namespace Bit.Api.SecretsManager.Controllers;
[Authorize("secrets")]
public class AccessPoliciesController : Controller
{
private readonly IAccessClientQuery _accessClientQuery;
private readonly IAccessPolicyRepository _accessPolicyRepository;
private readonly IAuthorizationService _authorizationService;
private readonly ICurrentContext _currentContext;
private readonly IProjectRepository _projectRepository;
private readonly IServiceAccountGrantedPolicyUpdatesQuery _serviceAccountGrantedPolicyUpdatesQuery;
private readonly IServiceAccountRepository _serviceAccountRepository;
private readonly IUpdateServiceAccountGrantedPoliciesCommand _updateServiceAccountGrantedPoliciesCommand;
private readonly IUserService _userService;
private readonly IProjectServiceAccountsAccessPoliciesUpdatesQuery
_projectServiceAccountsAccessPoliciesUpdatesQuery;
private readonly IUpdateProjectServiceAccountsAccessPoliciesCommand
_updateProjectServiceAccountsAccessPoliciesCommand;
public AccessPoliciesController(
IAuthorizationService authorizationService,
IUserService userService,
ICurrentContext currentContext,
IAccessPolicyRepository accessPolicyRepository,
IServiceAccountRepository serviceAccountRepository,
IProjectRepository projectRepository,
IAccessClientQuery accessClientQuery,
IServiceAccountGrantedPolicyUpdatesQuery serviceAccountGrantedPolicyUpdatesQuery,
IProjectServiceAccountsAccessPoliciesUpdatesQuery projectServiceAccountsAccessPoliciesUpdatesQuery,
IUpdateServiceAccountGrantedPoliciesCommand updateServiceAccountGrantedPoliciesCommand,
IUpdateProjectServiceAccountsAccessPoliciesCommand updateProjectServiceAccountsAccessPoliciesCommand)
{
_authorizationService = authorizationService;
_userService = userService;
_currentContext = currentContext;
_serviceAccountRepository = serviceAccountRepository;
_projectRepository = projectRepository;
_accessPolicyRepository = accessPolicyRepository;
_updateServiceAccountGrantedPoliciesCommand = updateServiceAccountGrantedPoliciesCommand;
_accessClientQuery = accessClientQuery;
_serviceAccountGrantedPolicyUpdatesQuery = serviceAccountGrantedPolicyUpdatesQuery;
_projectServiceAccountsAccessPoliciesUpdatesQuery = projectServiceAccountsAccessPoliciesUpdatesQuery;
_updateProjectServiceAccountsAccessPoliciesCommand = updateProjectServiceAccountsAccessPoliciesCommand;
}
[HttpGet("/organizations/{id}/access-policies/people/potential-grantees")]
public async Task<ListResponseModel<PotentialGranteeResponseModel>> GetPeoplePotentialGranteesAsync(
[FromRoute] Guid id)
{
if (!_currentContext.AccessSecretsManager(id))
{
throw new NotFoundException();
}
var userId = _userService.GetProperUserId(User)!.Value;
var peopleGrantees = await _accessPolicyRepository.GetPeopleGranteesAsync(id, userId);
var userResponses = peopleGrantees.UserGrantees.Select(ug => new PotentialGranteeResponseModel(ug));
var groupResponses = peopleGrantees.GroupGrantees.Select(g => new PotentialGranteeResponseModel(g));
return new ListResponseModel<PotentialGranteeResponseModel>(userResponses.Concat(groupResponses));
}
[HttpGet("/organizations/{id}/access-policies/service-accounts/potential-grantees")]
public async Task<ListResponseModel<PotentialGranteeResponseModel>> GetServiceAccountsPotentialGranteesAsync(
[FromRoute] Guid id)
{
if (!_currentContext.AccessSecretsManager(id))
{
throw new NotFoundException();
}
var (accessClient, userId) = await _accessClientQuery.GetAccessClientAsync(User, id);
var serviceAccounts =
await _serviceAccountRepository.GetManyByOrganizationIdWriteAccessAsync(id,
userId,
accessClient);
var serviceAccountResponses =
serviceAccounts.Select(serviceAccount => new PotentialGranteeResponseModel(serviceAccount));
return new ListResponseModel<PotentialGranteeResponseModel>(serviceAccountResponses);
}
[HttpGet("/organizations/{id}/access-policies/projects/potential-grantees")]
public async Task<ListResponseModel<PotentialGranteeResponseModel>> GetProjectPotentialGranteesAsync(
[FromRoute] Guid id)
{
if (!_currentContext.AccessSecretsManager(id))
{
throw new NotFoundException();
}
var (accessClient, userId) = await _accessClientQuery.GetAccessClientAsync(User, id);
var projects =
await _projectRepository.GetManyByOrganizationIdWriteAccessAsync(id,
userId,
accessClient);
var projectResponses =
projects.Select(project => new PotentialGranteeResponseModel(project));
return new ListResponseModel<PotentialGranteeResponseModel>(projectResponses);
}
[HttpGet("/projects/{id}/access-policies/people")]
public async Task<ProjectPeopleAccessPoliciesResponseModel> GetProjectPeopleAccessPoliciesAsync([FromRoute] Guid id)
{
var project = await _projectRepository.GetByIdAsync(id);
var (_, userId) = await CheckUserHasWriteAccessToProjectAsync(project);
var results = await _accessPolicyRepository.GetPeoplePoliciesByGrantedProjectIdAsync(id, userId);
return new ProjectPeopleAccessPoliciesResponseModel(results, userId);
}
[HttpPut("/projects/{id}/access-policies/people")]
public async Task<ProjectPeopleAccessPoliciesResponseModel> PutProjectPeopleAccessPoliciesAsync([FromRoute] Guid id,
[FromBody] PeopleAccessPoliciesRequestModel request)
{
var project = await _projectRepository.GetByIdAsync(id);
if (project == null)
{
throw new NotFoundException();
}
var peopleAccessPolicies = request.ToProjectPeopleAccessPolicies(id, project.OrganizationId);
var authorizationResult = await _authorizationService.AuthorizeAsync(User, peopleAccessPolicies,
ProjectPeopleAccessPoliciesOperations.Replace);
if (!authorizationResult.Succeeded)
{
throw new NotFoundException();
}
var userId = _userService.GetProperUserId(User)!.Value;
var results = await _accessPolicyRepository.ReplaceProjectPeopleAsync(peopleAccessPolicies, userId);
return new ProjectPeopleAccessPoliciesResponseModel(results, userId);
}
[HttpGet("/service-accounts/{id}/access-policies/people")]
public async Task<ServiceAccountPeopleAccessPoliciesResponseModel> GetServiceAccountPeopleAccessPoliciesAsync(
[FromRoute] Guid id)
{
var serviceAccount = await _serviceAccountRepository.GetByIdAsync(id);
var (_, userId) = await CheckUserHasWriteAccessToServiceAccountAsync(serviceAccount);
var results = await _accessPolicyRepository.GetPeoplePoliciesByGrantedServiceAccountIdAsync(id, userId);
return new ServiceAccountPeopleAccessPoliciesResponseModel(results, userId);
}
[HttpPut("/service-accounts/{id}/access-policies/people")]
public async Task<ServiceAccountPeopleAccessPoliciesResponseModel> PutServiceAccountPeopleAccessPoliciesAsync(
[FromRoute] Guid id,
[FromBody] PeopleAccessPoliciesRequestModel request)
{
var serviceAccount = await _serviceAccountRepository.GetByIdAsync(id);
if (serviceAccount == null)
{
throw new NotFoundException();
}
var peopleAccessPolicies = request.ToServiceAccountPeopleAccessPolicies(id, serviceAccount.OrganizationId);
var authorizationResult = await _authorizationService.AuthorizeAsync(User, peopleAccessPolicies,
ServiceAccountPeopleAccessPoliciesOperations.Replace);
if (!authorizationResult.Succeeded)
{
throw new NotFoundException();
}
var userId = _userService.GetProperUserId(User)!.Value;
var results = await _accessPolicyRepository.ReplaceServiceAccountPeopleAsync(peopleAccessPolicies, userId);
return new ServiceAccountPeopleAccessPoliciesResponseModel(results, userId);
}
[HttpGet("/service-accounts/{id}/granted-policies")]
public async Task<ServiceAccountGrantedPoliciesPermissionDetailsResponseModel>
GetServiceAccountGrantedPoliciesAsync([FromRoute] Guid id)
{
var serviceAccount = await _serviceAccountRepository.GetByIdAsync(id);
var authorizationResult =
await _authorizationService.AuthorizeAsync(User, serviceAccount, ServiceAccountOperations.Update);
if (!authorizationResult.Succeeded)
{
throw new NotFoundException();
}
return await GetServiceAccountGrantedPoliciesAsync(serviceAccount);
}
[HttpPut("/service-accounts/{id}/granted-policies")]
public async Task<ServiceAccountGrantedPoliciesPermissionDetailsResponseModel>
PutServiceAccountGrantedPoliciesAsync([FromRoute] Guid id,
[FromBody] ServiceAccountGrantedPoliciesRequestModel request)
{
var serviceAccount = await _serviceAccountRepository.GetByIdAsync(id) ?? throw new NotFoundException();
var grantedPoliciesUpdates =
await _serviceAccountGrantedPolicyUpdatesQuery.GetAsync(request.ToGrantedPolicies(serviceAccount));
var authorizationResult = await _authorizationService.AuthorizeAsync(User, grantedPoliciesUpdates,
ServiceAccountGrantedPoliciesOperations.Updates);
if (!authorizationResult.Succeeded)
{
throw new NotFoundException();
}
await _updateServiceAccountGrantedPoliciesCommand.UpdateAsync(grantedPoliciesUpdates);
return await GetServiceAccountGrantedPoliciesAsync(serviceAccount);
}
[HttpGet("/projects/{id}/access-policies/service-accounts")]
public async Task<ProjectServiceAccountsAccessPoliciesResponseModel>
GetProjectServiceAccountsAccessPoliciesAsync(
[FromRoute] Guid id)
{
var project = await _projectRepository.GetByIdAsync(id);
await CheckUserHasWriteAccessToProjectAsync(project);
var results =
await _accessPolicyRepository.GetProjectServiceAccountsAccessPoliciesAsync(id);
return new ProjectServiceAccountsAccessPoliciesResponseModel(results);
}
[HttpPut("/projects/{id}/access-policies/service-accounts")]
public async Task<ProjectServiceAccountsAccessPoliciesResponseModel>
PutProjectServiceAccountsAccessPoliciesAsync([FromRoute] Guid id,
[FromBody] ProjectServiceAccountsAccessPoliciesRequestModel request)
{
var project = await _projectRepository.GetByIdAsync(id) ?? throw new NotFoundException();
var accessPoliciesUpdates =
await _projectServiceAccountsAccessPoliciesUpdatesQuery.GetAsync(
request.ToProjectServiceAccountsAccessPolicies(project));
var authorizationResult = await _authorizationService.AuthorizeAsync(User, accessPoliciesUpdates,
ProjectServiceAccountsAccessPoliciesOperations.Updates);
if (!authorizationResult.Succeeded)
{
throw new NotFoundException();
}
await _updateProjectServiceAccountsAccessPoliciesCommand.UpdateAsync(accessPoliciesUpdates);
var results = await _accessPolicyRepository.GetProjectServiceAccountsAccessPoliciesAsync(id);
return new ProjectServiceAccountsAccessPoliciesResponseModel(results);
}
private async Task<(AccessClientType AccessClientType, Guid UserId)> CheckUserHasWriteAccessToProjectAsync(
Project project)
{
if (project == null)
{
throw new NotFoundException();
}
if (!_currentContext.AccessSecretsManager(project.OrganizationId))
{
throw new NotFoundException();
}
var (accessClient, userId) = await _accessClientQuery.GetAccessClientAsync(User, project.OrganizationId);
var access = await _projectRepository.AccessToProjectAsync(project.Id, userId, accessClient);
if (!access.Write || accessClient == AccessClientType.ServiceAccount)
{
throw new NotFoundException();
}
return (accessClient, userId);
}
private async Task<(AccessClientType AccessClientType, Guid UserId)> CheckUserHasWriteAccessToServiceAccountAsync(
ServiceAccount serviceAccount)
{
if (serviceAccount == null)
{
throw new NotFoundException();
}
if (!_currentContext.AccessSecretsManager(serviceAccount.OrganizationId))
{
throw new NotFoundException();
}
var (accessClient, userId) = await _accessClientQuery.GetAccessClientAsync(User, serviceAccount.OrganizationId);
var access =
await _serviceAccountRepository.AccessToServiceAccountAsync(serviceAccount.Id, userId, accessClient);
if (!access.Write)
{
throw new NotFoundException();
}
return (accessClient, userId);
}
private async Task<ServiceAccountGrantedPoliciesPermissionDetailsResponseModel>
GetServiceAccountGrantedPoliciesAsync(ServiceAccount serviceAccount)
{
var (accessClient, userId) = await _accessClientQuery.GetAccessClientAsync(User, serviceAccount.OrganizationId);
var results =
await _accessPolicyRepository.GetServiceAccountGrantedPoliciesPermissionDetailsAsync(serviceAccount.Id,
userId, accessClient);
return new ServiceAccountGrantedPoliciesPermissionDetailsResponseModel(results);
}
}
Reference in New Issue View Git Blame Copy Permalink