[SM-713] Add database support for secret access policies (#3681)

* mssql add column and migration * Add secret access policies to EF models and config * Clear new access policies on service account delete * Add SM cleanup code on delete * Fix EF org user bulk delete * Run EF migrations
2025-07-02 08:32:50 -05:00 · 2024-02-22 10:06:39 -06:00
parent 374b59bcfb
commit 1499d1e2c6
20 changed files with 8315 additions and 46 deletions
--- a/bitwarden_license/src/Commercial.Infrastructure.EntityFramework/SecretsManager/Repositories/ServiceAccountRepository.cs
+++ b/bitwarden_license/src/Commercial.Infrastructure.EntityFramework/SecretsManager/Repositories/ServiceAccountRepository.cs
@ -84,22 +84,29 @@ public class ServiceAccountRepository : Repository<Core.SecretsManager.Entities.

    public async Task DeleteManyByIdAsync(IEnumerable<Guid> ids)
    {
+        var targetIds = ids.ToList();
        using var scope = ServiceScopeFactory.CreateScope();
        var dbContext = GetDatabaseContext(scope);

+        await using var transaction = await dbContext.Database.BeginTransactionAsync();
+
        // Policies can't have a cascade delete, so we need to delete them manually.
-        var policies = dbContext.AccessPolicies.Where(ap =>
-            ((ServiceAccountProjectAccessPolicy)ap).ServiceAccountId.HasValue && ids.Contains(((ServiceAccountProjectAccessPolicy)ap).ServiceAccountId!.Value) ||
-            ((GroupServiceAccountAccessPolicy)ap).GrantedServiceAccountId.HasValue && ids.Contains(((GroupServiceAccountAccessPolicy)ap).GrantedServiceAccountId!.Value) ||
-            ((UserServiceAccountAccessPolicy)ap).GrantedServiceAccountId.HasValue && ids.Contains(((UserServiceAccountAccessPolicy)ap).GrantedServiceAccountId!.Value));
-        dbContext.RemoveRange(policies);
+        await dbContext.AccessPolicies.Where(ap =>
+                targetIds.Contains(((ServiceAccountProjectAccessPolicy)ap).ServiceAccountId!.Value) ||
+                targetIds.Contains(((ServiceAccountSecretAccessPolicy)ap).ServiceAccountId!.Value) ||
+                targetIds.Contains(((GroupServiceAccountAccessPolicy)ap).GrantedServiceAccountId!.Value) ||
+                targetIds.Contains(((UserServiceAccountAccessPolicy)ap).GrantedServiceAccountId!.Value))
+            .ExecuteDeleteAsync();

-        var apiKeys = dbContext.ApiKeys.Where(a => a.ServiceAccountId.HasValue && ids.Contains(a.ServiceAccountId!.Value));
-        dbContext.RemoveRange(apiKeys);
+        await dbContext.ApiKeys
+            .Where(a => targetIds.Contains(a.ServiceAccountId!.Value))
+            .ExecuteDeleteAsync();

-        var serviceAccounts = dbContext.ServiceAccount.Where(c => ids.Contains(c.Id));
-        dbContext.RemoveRange(serviceAccounts);
-        await dbContext.SaveChangesAsync();
+        await dbContext.ServiceAccount
+            .Where(c => targetIds.Contains(c.Id))
+            .ExecuteDeleteAsync();
+
+        await transaction.CommitAsync();
    }

    public async Task<(bool Read, bool Write)> AccessToServiceAccountAsync(Guid id, Guid userId,