[SM-919] Add project people access policy management endpoints (#3285)

* Expose access policy discriminators * Add people policy model and auth handler * Add unit tests for authz handler * Add people policies support in repo * Add new endpoints and request/response models * Update tests
2025-07-03 09:02:48 -05:00 · 2023-11-08 11:42:40 -05:00
parent 35500b197d
commit 0ca65e3f9d
17 changed files with 1211 additions and 73 deletions
--- a/src/Api/SecretsManager/Controllers/AccessPoliciesController.cs
+++ b/src/Api/SecretsManager/Controllers/AccessPoliciesController.cs
@ -1,11 +1,9 @@
 using Bit.Api.Models.Response;
 using Bit.Api.SecretsManager.Models.Request;
 using Bit.Api.SecretsManager.Models.Response;
-using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Bit.Core.Exceptions;
-using Bit.Core.Repositories;
 using Bit.Core.SecretsManager.AuthorizationRequirements;
 using Bit.Core.SecretsManager.Commands.AccessPolicies.Interfaces;
 using Bit.Core.SecretsManager.Entities;
@ -25,8 +23,6 @@ public class AccessPoliciesController : Controller
    private readonly ICreateAccessPoliciesCommand _createAccessPoliciesCommand;
    private readonly ICurrentContext _currentContext;
    private readonly IDeleteAccessPolicyCommand _deleteAccessPolicyCommand;
-    private readonly IGroupRepository _groupRepository;
-    private readonly IOrganizationUserRepository _organizationUserRepository;
    private readonly IProjectRepository _projectRepository;
    private readonly IServiceAccountRepository _serviceAccountRepository;
    private readonly IUpdateAccessPolicyCommand _updateAccessPolicyCommand;
@ -39,9 +35,7 @@ public class AccessPoliciesController : Controller
        ICurrentContext currentContext,
        IAccessPolicyRepository accessPolicyRepository,
        IServiceAccountRepository serviceAccountRepository,
-        IGroupRepository groupRepository,
        IProjectRepository projectRepository,
-        IOrganizationUserRepository organizationUserRepository,
        ICreateAccessPoliciesCommand createAccessPoliciesCommand,
        IDeleteAccessPolicyCommand deleteAccessPolicyCommand,
        IUpdateAccessPolicyCommand updateAccessPolicyCommand)
@ -51,8 +45,6 @@ public class AccessPoliciesController : Controller
        _currentContext = currentContext;
        _serviceAccountRepository = serviceAccountRepository;
        _projectRepository = projectRepository;
-        _groupRepository = groupRepository;
-        _organizationUserRepository = organizationUserRepository;
        _accessPolicyRepository = accessPolicyRepository;
        _createAccessPoliciesCommand = createAccessPoliciesCommand;
        _deleteAccessPolicyCommand = deleteAccessPolicyCommand;
@ -243,15 +235,11 @@ public class AccessPoliciesController : Controller
            throw new NotFoundException();
        }

-        var groups = await _groupRepository.GetManyByOrganizationIdAsync(id);
-        var groupResponses = groups.Select(g => new PotentialGranteeResponseModel(g));
-
-        var organizationUsers =
-            await _organizationUserRepository.GetManyDetailsByOrganizationAsync(id);
-        var userResponses = organizationUsers
-            .Where(user => user.AccessSecretsManager && user.Status == OrganizationUserStatusType.Confirmed)
-            .Select(userDetails => new PotentialGranteeResponseModel(userDetails));
+        var userId = _userService.GetProperUserId(User).Value;
+        var peopleGrantees = await _accessPolicyRepository.GetPeopleGranteesAsync(id, userId);

+        var userResponses = peopleGrantees.UserGrantees.Select(ug => new PotentialGranteeResponseModel(ug));
+        var groupResponses = peopleGrantees.GroupGrantees.Select(g => new PotentialGranteeResponseModel(g));
        return new ListResponseModel<PotentialGranteeResponseModel>(userResponses.Concat(groupResponses));
    }

@ -287,6 +275,40 @@ public class AccessPoliciesController : Controller
        return new ListResponseModel<PotentialGranteeResponseModel>(projectResponses);
    }

+    [HttpGet("/projects/{id}/access-policies/people")]
+    public async Task<ProjectPeopleAccessPoliciesResponseModel> GetProjectPeopleAccessPoliciesAsync([FromRoute] Guid id)
+    {
+        var project = await _projectRepository.GetByIdAsync(id);
+        var (_, userId) = await CheckUserHasWriteAccessToProjectAsync(project);
+        var results = await _accessPolicyRepository.GetPeoplePoliciesByGrantedProjectIdAsync(id, userId);
+        return new ProjectPeopleAccessPoliciesResponseModel(results, userId);
+    }
+
+    [HttpPut("/projects/{id}/access-policies/people")]
+    public async Task<ProjectPeopleAccessPoliciesResponseModel> PutProjectPeopleAccessPoliciesAsync([FromRoute] Guid id,
+        [FromBody] PeopleAccessPoliciesRequestModel request)
+    {
+        var project = await _projectRepository.GetByIdAsync(id);
+        if (project == null)
+        {
+            throw new NotFoundException();
+        }
+
+        var peopleAccessPolicies = request.ToProjectPeopleAccessPolicies(id, project.OrganizationId);
+
+        var authorizationResult = await _authorizationService.AuthorizeAsync(User, peopleAccessPolicies,
+            ProjectPeopleAccessPoliciesOperations.Replace);
+        if (!authorizationResult.Succeeded)
+        {
+            throw new NotFoundException();
+        }
+
+        var userId = _userService.GetProperUserId(User).Value;
+        var results = await _accessPolicyRepository.ReplaceProjectPeopleAsync(peopleAccessPolicies, userId);
+        return new ProjectPeopleAccessPoliciesResponseModel(results, userId);
+    }
+
+
    private async Task<(AccessClientType AccessClientType, Guid UserId)> CheckUserHasWriteAccessToProjectAsync(Project project)
    {
        if (project == null)