Add RBAC to Bitwarden Portal (#2853)

* Auth/pm-48 (#2680) * PM-48 - add user's role as a claim and establish access control service * PM-48 - remove function unrelated to the role claim * PM-48 - fix whitespace issues * PM-48 - move registration of CustomClaimsPrincipalFactory, replace role claim type string with constant, streamline code that retrieves the user's role * Auth/pm-47 (#2699) * PM-48 - add user's role as a claim and establish access control service * PM-48 - remove function unrelated to the role claim * PM-48 - fix whitespace issues * PM-47 - add list of permission enums, role:permissions mapping, and function that determines if the logged in user has the given permission * PM-47 - remove unneeded service registration, set role to lowercase * PM-47 - fix code style issues * PM-46 - create permission filter attribute (#2753) * Auth/pm-54 add rbac for users (#2758) * PM-54 - add permission gates to User elements * PM-54 - fix formatting * PM-54 - remove unused function * PM-54 - fix variable reference, add permission to billing role * PM-54 - handle Upgrade Premium button functionality and fix spelling * PM-54 - change permission name to be more accurate * PM-49 - update role retrieval (#2779) * Auth/[PM-50] add rbac for logs (#2782) * PM-50 - add rbac for logs * PM-50 - remove unnecessary action filter * PM-51 - add RBAC for tools (#2799) * Auth/[pm-52] add rbac providers (#2818) * PM-52 add rbac for providers * PM-52 - update redirect action * PM-52 - add back edit functionality and permission * PM-52 - reverse changes around removing edit functionality * PM-52 - moved permission check to variable assignement * PM-53 - add rbac for organizations (#2798) * PM-52 - add missed permission to billing role (#2836) * Fixed merge conflicts. * [PM-1846] Updates to add RBAC back after merge conflicts (#2870) * Updates to add RBAC to changes from reseller. * Added back checks for delete and initiating a trial. * Removed extraneous Razor tag. --------- Co-authored-by: dgoodman-bw <109169446+dgoodman-bw@users.noreply.github.com> Co-authored-by: Danielle Goodman <dgoodman@bitwarden.com> Co-authored-by: Jacob Fink <jfink@bitwarden.com>
2025-07-02 16:42:50 -05:00 · 2023-05-04 15:18:49 -04:00
parent 2ac513e15a
commit 0bd0910c39
24 changed files with 1101 additions and 410 deletions
--- a/src/Admin/Controllers/ToolsController.cs
+++ b/src/Admin/Controllers/ToolsController.cs
@ -1,6 +1,8 @@
 using System.Text;
 using System.Text.Json;
+using Bit.Admin.Enums;
 using Bit.Admin.Models;
+using Bit.Admin.Utilities;
 using Bit.Core.Entities;
 using Bit.Core.Models.BitStripe;
 using Bit.Core.OrganizationFeatures.OrganizationLicenses.Interfaces;
@ -55,6 +57,7 @@ public class ToolsController : Controller
        _environment = environment;
    }

+    [RequirePermission(Permission.Tools_ChargeBrainTreeCustomer)]
    public IActionResult ChargeBraintree()
    {
        return View(new ChargeBraintreeModel());
@ -62,6 +65,7 @@ public class ToolsController : Controller

    [HttpPost]
    [ValidateAntiForgeryToken]
+    [RequirePermission(Permission.Tools_ChargeBrainTreeCustomer)]
    public async Task<IActionResult> ChargeBraintree(ChargeBraintreeModel model)
    {
        if (!ModelState.IsValid)
@ -113,6 +117,7 @@ public class ToolsController : Controller
        return View(model);
    }

+    [RequirePermission(Permission.Tools_CreateEditTransaction)]
    public IActionResult CreateTransaction(Guid? organizationId = null, Guid? userId = null)
    {
        return View("CreateUpdateTransaction", new CreateUpdateTransactionModel
@ -124,6 +129,7 @@ public class ToolsController : Controller

    [HttpPost]
    [ValidateAntiForgeryToken]
+    [RequirePermission(Permission.Tools_CreateEditTransaction)]
    public async Task<IActionResult> CreateTransaction(CreateUpdateTransactionModel model)
    {
        if (!ModelState.IsValid)
@ -142,6 +148,7 @@ public class ToolsController : Controller
        }
    }

+    [RequirePermission(Permission.Tools_CreateEditTransaction)]
    public async Task<IActionResult> EditTransaction(Guid id)
    {
        var transaction = await _transactionRepository.GetByIdAsync(id);
@ -154,6 +161,7 @@ public class ToolsController : Controller

    [HttpPost]
    [ValidateAntiForgeryToken]
+    [RequirePermission(Permission.Tools_CreateEditTransaction)]
    public async Task<IActionResult> EditTransaction(Guid id, CreateUpdateTransactionModel model)
    {
        if (!ModelState.IsValid)
@ -171,6 +179,7 @@ public class ToolsController : Controller
        }
    }

+    [RequirePermission(Permission.Tools_PromoteAdmin)]
    public IActionResult PromoteAdmin()
    {
        return View();
@ -178,6 +187,7 @@ public class ToolsController : Controller

    [HttpPost]
    [ValidateAntiForgeryToken]
+    [RequirePermission(Permission.Tools_PromoteAdmin)]
    public async Task<IActionResult> PromoteAdmin(PromoteAdminModel model)
    {
        if (!ModelState.IsValid)
@ -207,6 +217,7 @@ public class ToolsController : Controller
        return RedirectToAction("Edit", "Organizations", new { id = model.OrganizationId.Value });
    }

+    [RequirePermission(Permission.Tools_GenerateLicenseFile)]
    public IActionResult GenerateLicense()
    {
        return View();
@ -214,6 +225,7 @@ public class ToolsController : Controller

    [HttpPost]
    [ValidateAntiForgeryToken]
+    [RequirePermission(Permission.Tools_GenerateLicenseFile)]
    public async Task<IActionResult> GenerateLicense(LicenseModel model)
    {
        if (!ModelState.IsValid)
@ -285,6 +297,7 @@ public class ToolsController : Controller
        }
    }

+    [RequirePermission(Permission.Tools_ManageTaxRates)]
    public async Task<IActionResult> TaxRate(int page = 1, int count = 25)
    {
        if (page < 1)
@ -307,6 +320,7 @@ public class ToolsController : Controller
        });
    }

+    [RequirePermission(Permission.Tools_ManageTaxRates)]
    public async Task<IActionResult> TaxRateAddEdit(string stripeTaxRateId = null)
    {
        if (string.IsNullOrWhiteSpace(stripeTaxRateId))
@ -328,6 +342,7 @@ public class ToolsController : Controller
    }

    [ValidateAntiForgeryToken]
+    [RequirePermission(Permission.Tools_ManageTaxRates)]
    public async Task<IActionResult> TaxRateUpload(IFormFile file)
    {
        if (file == null || file.Length == 0)
@ -395,6 +410,7 @@ public class ToolsController : Controller

    [HttpPost]
    [ValidateAntiForgeryToken]
+    [RequirePermission(Permission.Tools_ManageTaxRates)]
    public async Task<IActionResult> TaxRateAddEdit(TaxRateAddEditModel model)
    {
        var existingRateCheck = await _taxRateRepository.GetByLocationAsync(new TaxRate() { Country = model.Country, PostalCode = model.PostalCode });
@ -429,6 +445,7 @@ public class ToolsController : Controller
        return RedirectToAction("TaxRate");
    }

+    [RequirePermission(Permission.Tools_ManageTaxRates)]
    public async Task<IActionResult> TaxRateArchive(string stripeTaxRateId)
    {
        if (!string.IsNullOrWhiteSpace(stripeTaxRateId))
@ -439,6 +456,7 @@ public class ToolsController : Controller
        return RedirectToAction("TaxRate");
    }

+    [RequirePermission(Permission.Tools_ManageStripeSubscriptions)]
    public async Task<IActionResult> StripeSubscriptions(StripeSubscriptionListOptions options)
    {
        options = options ?? new StripeSubscriptionListOptions();
@ -465,6 +483,7 @@ public class ToolsController : Controller
    }

    [HttpPost]
+    [RequirePermission(Permission.Tools_ManageStripeSubscriptions)]
    public async Task<IActionResult> StripeSubscriptions([FromForm] StripeSubscriptionsModel model)
    {
        if (!ModelState.IsValid)