nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-07-02 16:42:50 -05:00
Code Activity

[AC-1139] Rewrote GroupAuthorizationHandler to be similar to other AuthHandlers; Revisited unit tests

Browse Source
This commit is contained in:
Rui Tome
2023-11-24 11:17:47 +00:00
parent 21887c3fd3
commit 0b24fe1a9b
2 changed files with 33 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
src/Api/Vault/AuthorizationHandlers/Groups/GroupAuthorizationHandler.cs
View File

@ -1,4 +1,5 @@
using Bit.Core; #nullable enable
using Bit.Core;
using Bit.Core.Context; using Bit.Core.Context;
using Bit.Core.Enums; using Bit.Core.Enums;
using Bit.Core.Exceptions; using Bit.Core.Exceptions;
@ -58,29 +59,27 @@ public class GroupAuthorizationHandler : AuthorizationHandler<GroupOperationRequ
} }
private async Task CanReadAllAsync(AuthorizationHandlerContext context, GroupOperationRequirement requirement, private async Task CanReadAllAsync(AuthorizationHandlerContext context, GroupOperationRequirement requirement,
CurrentContextOrganization org) CurrentContextOrganization? org)
{ {
if (org != null) // If the limit collection management setting is disabled, allow any user to read all groups
// Otherwise, Owners, Admins, and users with any of ManageGroups, ManageUsers, EditAnyCollection, DeleteAnyCollection, CreateNewCollections permissions can always read all groups
if (org is
{ LimitCollectionCreationDeletion: false } or
{ Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
{ Permissions.ManageGroups: true } or
{ Permissions.ManageUsers: true } or
{ Permissions.EditAnyCollection: true } or
{ Permissions.DeleteAnyCollection: true } or
{ Permissions.CreateNewCollections: true })
{ {
// Acting user is a member of the target organization, check permissions context.Succeed(requirement);
if (org.Type is OrganizationUserType.Owner or OrganizationUserType.Admin || return;
org.Permissions.ManageGroups ||
org.Permissions.ManageUsers ||
org.Permissions.EditAnyCollection ||
org.Permissions.DeleteAnyCollection ||
org.Permissions.CreateNewCollections ||
!org.LimitCollectionCreationDeletion)
{
context.Succeed(requirement);
}
} }
else
// Allow provider users to read all groups if they are a provider for the target organization
if (await _currentContext.ProviderUserForOrgAsync(requirement.OrganizationId))
{ {
// Check if acting user is a provider user for the target organization context.Succeed(requirement);
if (await _currentContext.ProviderUserForOrgAsync(requirement.OrganizationId))
{
context.Succeed(requirement);
}
} }
} }
} }

22
test/Api.Test/Vault/AuthorizationHandlers/GroupAuthorizationHandlerTests.cs
View File

@ -26,6 +26,7 @@ public class GroupAuthorizationHandlerTests
CurrentContextOrganization organization) CurrentContextOrganization organization)
{ {
organization.Type = userType; organization.Type = userType;
organization.LimitCollectionCreationDeletion = true;
organization.Permissions = new Permissions(); organization.Permissions = new Permissions();
var context = new AuthorizationHandlerContext( var context = new AuthorizationHandlerContext(
@ -46,6 +47,10 @@ public class GroupAuthorizationHandlerTests
Guid userId, Guid userId,
SutProvider<GroupAuthorizationHandler> sutProvider, CurrentContextOrganization organization) SutProvider<GroupAuthorizationHandler> sutProvider, CurrentContextOrganization organization)
{ {
organization.Type = OrganizationUserType.User;
organization.LimitCollectionCreationDeletion = true;
organization.Permissions = new Permissions();
var context = new AuthorizationHandlerContext( var context = new AuthorizationHandlerContext(
new[] { GroupOperations.ReadAll(organization.Id) }, new[] { GroupOperations.ReadAll(organization.Id) },
new ClaimsPrincipal(), new ClaimsPrincipal(),
@ -64,26 +69,27 @@ public class GroupAuthorizationHandlerTests
} }
[Theory] [Theory]
[BitAutoData(true, false, false, false, false)] [BitAutoData(true, false, false, false, true)]
[BitAutoData(false, true, false, false, false)] [BitAutoData(false, true, false, false, true)]
[BitAutoData(false, false, true, false, false)] [BitAutoData(false, false, true, false, true)]
[BitAutoData(false, false, false, true, false)] [BitAutoData(false, false, false, true, true)]
[BitAutoData(false, false, false, false, true)] [BitAutoData(false, false, false, false, false)]
public async Task CanReadAllAsync_WhenCustomUserWithRequiredPermissions_Success( public async Task CanReadAllAsync_WhenCustomUserWithRequiredPermissions_Success(
bool editAnyCollection, bool deleteAnyCollection, bool manageGroups, bool manageUsers, bool accessImportExport, bool editAnyCollection, bool deleteAnyCollection, bool manageGroups,
bool manageUsers, bool limitCollectionCreationDeletion,
SutProvider<GroupAuthorizationHandler> sutProvider, SutProvider<GroupAuthorizationHandler> sutProvider,
CurrentContextOrganization organization) CurrentContextOrganization organization)
{ {
var actingUserId = Guid.NewGuid(); var actingUserId = Guid.NewGuid();
organization.Type = OrganizationUserType.Custom; organization.Type = OrganizationUserType.Custom;
organization.LimitCollectionCreationDeletion = limitCollectionCreationDeletion;
organization.Permissions = new Permissions organization.Permissions = new Permissions
{ {
EditAnyCollection = editAnyCollection, EditAnyCollection = editAnyCollection,
DeleteAnyCollection = deleteAnyCollection, DeleteAnyCollection = deleteAnyCollection,
ManageGroups = manageGroups, ManageGroups = manageGroups,
ManageUsers = manageUsers, ManageUsers = manageUsers
AccessImportExport = accessImportExport
}; };
var context = new AuthorizationHandlerContext( var context = new AuthorizationHandlerContext(