[SM-919] Add project people access policy management endpoints (#3285)

* Expose access policy discriminators * Add people policy model and auth handler * Add unit tests for authz handler * Add people policies support in repo * Add new endpoints and request/response models * Update tests
2025-07-02 16:42:50 -05:00 · 2023-11-08 11:42:40 -05:00
parent 35500b197d
commit 0ca65e3f9d
17 changed files with 1211 additions and 73 deletions
--- a/src/Core/SecretsManager/AuthorizationRequirements/ProjectPeopleAccessPoliciesOperationRequirement.cs
+++ b/src/Core/SecretsManager/AuthorizationRequirements/ProjectPeopleAccessPoliciesOperationRequirement.cs
@ -0,0 +1,12 @@
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+
+namespace Bit.Core.SecretsManager.AuthorizationRequirements;
+
+public class ProjectPeopleAccessPoliciesOperationRequirement : OperationAuthorizationRequirement
+{
+}
+
+public static class ProjectPeopleAccessPoliciesOperations
+{
+    public static readonly ProjectPeopleAccessPoliciesOperationRequirement Replace = new() { Name = nameof(Replace) };
+}
--- a/src/Core/SecretsManager/Models/Data/PeopleGrantees.cs
+++ b/src/Core/SecretsManager/Models/Data/PeopleGrantees.cs
@ -0,0 +1,22 @@
+namespace Bit.Core.SecretsManager.Models.Data;
+
+public class PeopleGrantees
+{
+    public IEnumerable<UserGrantee> UserGrantees { get; set; }
+    public IEnumerable<GroupGrantee> GroupGrantees { get; set; }
+}
+
+public class UserGrantee
+{
+    public Guid OrganizationUserId { get; set; }
+    public string Name { get; set; }
+    public string Email { get; set; }
+    public bool CurrentUser { get; set; }
+}
+
+public class GroupGrantee
+{
+    public Guid GroupId { get; set; }
+    public string Name { get; set; }
+    public bool CurrentUserInGroup { get; set; }
+}
--- a/src/Core/SecretsManager/Models/Data/ProjectPeopleAccessPolicies.cs
+++ b/src/Core/SecretsManager/Models/Data/ProjectPeopleAccessPolicies.cs
@ -0,0 +1,27 @@
+using Bit.Core.SecretsManager.Entities;
+
+namespace Bit.Core.SecretsManager.Models.Data;
+
+public class ProjectPeopleAccessPolicies
+{
+    public Guid Id { get; set; }
+    public Guid OrganizationId { get; set; }
+    public IEnumerable<UserProjectAccessPolicy> UserAccessPolicies { get; set; }
+    public IEnumerable<GroupProjectAccessPolicy> GroupAccessPolicies { get; set; }
+
+    public IEnumerable<BaseAccessPolicy> ToBaseAccessPolicies()
+    {
+        var policies = new List<BaseAccessPolicy>();
+        if (UserAccessPolicies != null && UserAccessPolicies.Any())
+        {
+            policies.AddRange(UserAccessPolicies);
+        }
+
+        if (GroupAccessPolicies != null && GroupAccessPolicies.Any())
+        {
+            policies.AddRange(GroupAccessPolicies);
+        }
+
+        return policies;
+    }
+}
--- a/src/Core/SecretsManager/Repositories/IAccessPolicyRepository.cs
+++ b/src/Core/SecretsManager/Repositories/IAccessPolicyRepository.cs
@ -1,6 +1,7 @@
 #nullable enable
 using Bit.Core.Enums;
 using Bit.Core.SecretsManager.Entities;
+using Bit.Core.SecretsManager.Models.Data;

 namespace Bit.Core.SecretsManager.Repositories;

@ -15,4 +16,7 @@ public interface IAccessPolicyRepository
        AccessClientType accessType);
    Task ReplaceAsync(BaseAccessPolicy baseAccessPolicy);
    Task DeleteAsync(Guid id);
+    Task<IEnumerable<BaseAccessPolicy>> GetPeoplePoliciesByGrantedProjectIdAsync(Guid id, Guid userId);
+    Task<IEnumerable<BaseAccessPolicy>> ReplaceProjectPeopleAsync(ProjectPeopleAccessPolicies peopleAccessPolicies, Guid userId);
+    Task<PeopleGrantees> GetPeopleGranteesAsync(Guid organizationId, Guid currentUserId);
 }