nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-06-30 15:42:48 -05:00
Code Activity

[SM-713] Add database support for secret access policies (#3681)

Browse Source 
* mssql add column and migration

* Add secret access policies to EF models and config

* Clear new access policies on service account delete

* Add SM cleanup code on delete

* Fix EF org user bulk delete

* Run EF migrations
This commit is contained in:
Thomas Avery
2024-02-22 10:06:39 -06:00
committed by GitHub
parent 374b59bcfb
commit 1499d1e2c6
20 changed files with 8315 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
src/Core/SecretsManager/Entities/AccessPolicy.cs
View File

@ -38,6 +38,14 @@ public class UserServiceAccountAccessPolicy : BaseAccessPolicy
public ServiceAccount? GrantedServiceAccount { get; set; }
}
public class UserSecretAccessPolicy : BaseAccessPolicy
{
public Guid? OrganizationUserId { get; set; }
public User? User { get; set; }
public Guid? GrantedSecretId { get; set; }
public Secret? GrantedSecret { get; set; }
}
public class GroupProjectAccessPolicy : BaseAccessPolicy
{
public Guid? GroupId { get; set; }
@ -56,6 +64,15 @@ public class GroupServiceAccountAccessPolicy : BaseAccessPolicy
public ServiceAccount? GrantedServiceAccount { get; set; }
}
public class GroupSecretAccessPolicy : BaseAccessPolicy
{
public Guid? GroupId { get; set; }
public Group? Group { get; set; }
public bool? CurrentUserInGroup { get; set; }
public Guid? GrantedSecretId { get; set; }
public Secret? GrantedSecret { get; set; }
}
public class ServiceAccountProjectAccessPolicy : BaseAccessPolicy
{
public Guid? ServiceAccountId { get; set; }
@ -63,3 +80,11 @@ public class ServiceAccountProjectAccessPolicy : BaseAccessPolicy
public Guid? GrantedProjectId { get; set; }
public Project? GrantedProject { get; set; }
}
public class ServiceAccountSecretAccessPolicy : BaseAccessPolicy
{
public Guid? ServiceAccountId { get; set; }
public ServiceAccount? ServiceAccount { get; set; }
public Guid? GrantedSecretId { get; set; }
public Secret? GrantedSecret { get; set; }
}

2
src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
View File

@ -180,6 +180,8 @@ public class OrganizationRepository : Repository<Core.AdminConsole.Entities.Orga
.ExecuteDeleteAsync();
await dbContext.UserServiceAccountAccessPolicy.Where(ap => ap.OrganizationUser.OrganizationId == organization.Id)
.ExecuteDeleteAsync();
await dbContext.UserSecretAccessPolicy.Where(ap => ap.OrganizationUser.OrganizationId == organization.Id)
.ExecuteDeleteAsync();
await dbContext.OrganizationUsers.Where(ou => ou.OrganizationId == organization.Id)
.ExecuteDeleteAsync();
await dbContext.ProviderOrganizations.Where(po => po.OrganizationId == organization.Id)

42
src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs
View File

@ -100,6 +100,8 @@ public class OrganizationUserRepository : Repository<Core.Entities.OrganizationU
dbContext.UserProjectAccessPolicy.Where(ap => ap.OrganizationUserId == organizationUserId));
dbContext.UserServiceAccountAccessPolicy.RemoveRange(
dbContext.UserServiceAccountAccessPolicy.Where(ap => ap.OrganizationUserId == organizationUserId));
dbContext.UserSecretAccessPolicy.RemoveRange(
dbContext.UserSecretAccessPolicy.Where(ap => ap.OrganizationUserId == organizationUserId));
var orgSponsorships = await dbContext.OrganizationSponsorships
.Where(os => os.SponsoringOrganizationUserId == organizationUserId)
@ -117,18 +119,36 @@ public class OrganizationUserRepository : Repository<Core.Entities.OrganizationU
public async Task DeleteManyAsync(IEnumerable<Guid> organizationUserIds)
{
using (var scope = ServiceScopeFactory.CreateScope())
{
var dbContext = GetDatabaseContext(scope);
await dbContext.UserBumpAccountRevisionDateByOrganizationUserIdsAsync(organizationUserIds);
var entities = await dbContext.OrganizationUsers
// TODO: Does this work?
.Where(ou => organizationUserIds.Contains(ou.Id))
.ToListAsync();
var targetOrganizationUserIds = organizationUserIds.ToList();
using var scope = ServiceScopeFactory.CreateScope();
var dbContext = GetDatabaseContext(scope);
dbContext.OrganizationUsers.RemoveRange(entities);
await dbContext.SaveChangesAsync();
}
var transaction = await dbContext.Database.BeginTransactionAsync();
await dbContext.UserBumpAccountRevisionDateByOrganizationUserIdsAsync(targetOrganizationUserIds);
await dbContext.CollectionUsers
.Where(cu => targetOrganizationUserIds.Contains(cu.OrganizationUserId))
.ExecuteDeleteAsync();
await dbContext.GroupUsers
.Where(gu => targetOrganizationUserIds.Contains(gu.OrganizationUserId))
.ExecuteDeleteAsync();
await dbContext.UserProjectAccessPolicy
.Where(ap => targetOrganizationUserIds.Contains(ap.OrganizationUserId!.Value))
.ExecuteDeleteAsync();
await dbContext.UserServiceAccountAccessPolicy
.Where(ap => targetOrganizationUserIds.Contains(ap.OrganizationUserId!.Value))
.ExecuteDeleteAsync();
await dbContext.UserSecretAccessPolicy
.Where(ap => targetOrganizationUserIds.Contains(ap.OrganizationUserId!.Value))
.ExecuteDeleteAsync();
await dbContext.OrganizationUsers
.Where(ou => targetOrganizationUserIds.Contains(ou.Id)).ExecuteDeleteAsync();
await dbContext.SaveChangesAsync();
await transaction.CommitAsync();
}
public async Task<Tuple<Core.Entities.OrganizationUser, ICollection<CollectionAccessSelection>>> GetByIdWithCollectionsAsync(Guid id)

3
src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs
View File

@ -27,6 +27,9 @@ public class DatabaseContext : DbContext
public DbSet<ServiceAccountProjectAccessPolicy> ServiceAccountProjectAccessPolicy { get; set; }
public DbSet<UserServiceAccountAccessPolicy> UserServiceAccountAccessPolicy { get; set; }
public DbSet<GroupServiceAccountAccessPolicy> GroupServiceAccountAccessPolicy { get; set; }
public DbSet<UserSecretAccessPolicy> UserSecretAccessPolicy { get; set; }
public DbSet<GroupSecretAccessPolicy> GroupSecretAccessPolicy { get; set; }
public DbSet<ServiceAccountSecretAccessPolicy> ServiceAccountSecretAccessPolicy { get; set; }
public DbSet<ApiKey> ApiKeys { get; set; }
public DbSet<Cipher> Ciphers { get; set; }
public DbSet<Collection> Collections { get; set; }

71
src/Infrastructure.EntityFramework/SecretsManager/Configurations/AccessPolicyEntityTypeConfiguration.cs
View File

@ -13,9 +13,12 @@ public class AccessPolicyEntityTypeConfiguration : IEntityTypeConfiguration<Acce
.HasDiscriminator<string>("Discriminator")
.HasValue<UserProjectAccessPolicy>(AccessPolicyDiscriminator.UserProject)
.HasValue<UserServiceAccountAccessPolicy>(AccessPolicyDiscriminator.UserServiceAccount)
.HasValue<UserSecretAccessPolicy>(AccessPolicyDiscriminator.UserSecret)
.HasValue<GroupProjectAccessPolicy>(AccessPolicyDiscriminator.GroupProject)
.HasValue<GroupServiceAccountAccessPolicy>(AccessPolicyDiscriminator.GroupServiceAccount)
.HasValue<ServiceAccountProjectAccessPolicy>(AccessPolicyDiscriminator.ServiceAccountProject);
.HasValue<GroupSecretAccessPolicy>(AccessPolicyDiscriminator.GroupSecret)
.HasValue<ServiceAccountProjectAccessPolicy>(AccessPolicyDiscriminator.ServiceAccountProject)
.HasValue<ServiceAccountSecretAccessPolicy>(AccessPolicyDiscriminator.ServiceAccountSecret);
builder
.Property(s => s.Id)
@ -63,6 +66,26 @@ public class UserServiceAccountAccessPolicyEntityTypeConfiguration : IEntityType
}
}
public class UserSecretAccessPolicyEntityTypeConfiguration : IEntityTypeConfiguration<UserSecretAccessPolicy>
{
public void Configure(EntityTypeBuilder<UserSecretAccessPolicy> builder)
{
builder
.Property(e => e.OrganizationUserId)
.HasColumnName(nameof(UserSecretAccessPolicy.OrganizationUserId));
builder
.Property(e => e.GrantedSecretId)
.HasColumnName(nameof(UserSecretAccessPolicy.GrantedSecretId));
builder
.HasOne(e => e.GrantedSecret)
.WithMany(e => e.UserAccessPolicies)
.HasForeignKey(nameof(UserSecretAccessPolicy.GrantedSecretId))
.OnDelete(DeleteBehavior.Cascade);
}
}
public class GroupProjectAccessPolicyEntityTypeConfiguration : IEntityTypeConfiguration<GroupProjectAccessPolicy>
{
public void Configure(EntityTypeBuilder<GroupProjectAccessPolicy> builder)
@ -109,6 +132,32 @@ public class GroupServiceAccountAccessPolicyEntityTypeConfiguration : IEntityTyp
}
}
public class GroupSecretAccessPolicyEntityTypeConfiguration : IEntityTypeConfiguration<GroupSecretAccessPolicy>
{
public void Configure(EntityTypeBuilder<GroupSecretAccessPolicy> builder)
{
builder
.Property(e => e.GroupId)
.HasColumnName(nameof(GroupSecretAccessPolicy.GroupId));
builder
.Property(e => e.GrantedSecretId)
.HasColumnName(nameof(GroupSecretAccessPolicy.GrantedSecretId));
builder
.HasOne(e => e.GrantedSecret)
.WithMany(e => e.GroupAccessPolicies)
.HasForeignKey(nameof(GroupSecretAccessPolicy.GrantedSecretId))
.OnDelete(DeleteBehavior.Cascade);
builder
.HasOne(e => e.Group)
.WithMany()
.HasForeignKey(nameof(GroupSecretAccessPolicy.GroupId))
.OnDelete(DeleteBehavior.Cascade);
}
}
public class ServiceAccountProjectAccessPolicyEntityTypeConfiguration : IEntityTypeConfiguration<ServiceAccountProjectAccessPolicy>
{
public void Configure(EntityTypeBuilder<ServiceAccountProjectAccessPolicy> builder)
@ -128,3 +177,23 @@ public class ServiceAccountProjectAccessPolicyEntityTypeConfiguration : IEntityT
.OnDelete(DeleteBehavior.Cascade);
}
}
public class ServiceAccountSecretAccessPolicyEntityTypeConfiguration : IEntityTypeConfiguration<ServiceAccountSecretAccessPolicy>
{
public void Configure(EntityTypeBuilder<ServiceAccountSecretAccessPolicy> builder)
{
builder
.Property(e => e.ServiceAccountId)
.HasColumnName(nameof(ServiceAccountSecretAccessPolicy.ServiceAccountId));
builder
.Property(e => e.GrantedSecretId)
.HasColumnName(nameof(ServiceAccountSecretAccessPolicy.GrantedSecretId));
builder
.HasOne(e => e.GrantedSecret)
.WithMany(e => e.ServiceAccountAccessPolicies)
.HasForeignKey(nameof(ServiceAccountSecretAccessPolicy.GrantedSecretId))
.OnDelete(DeleteBehavior.Cascade);
}
}

4
src/Infrastructure.EntityFramework/SecretsManager/Discriminators/AccessPolicyDiscriminator.cs
View File

@ -4,8 +4,10 @@ public static class AccessPolicyDiscriminator
{
public const string UserProject = "user_project";
public const string UserServiceAccount = "user_service_account";
public const string UserSecret = "user_secret";
public const string GroupProject = "group_project";
public const string GroupServiceAccount = "group_service_account";
public const string GroupSecret = "group_secret";
public const string ServiceAccountProject = "service_account_project";
public const string ServiceAccountSecret = "service_account_secret";
}

41
src/Infrastructure.EntityFramework/SecretsManager/Models/AccessPolicy.cs
View File

@ -24,6 +24,12 @@ public class AccessPolicyMapperProfile : Profile
.ReverseMap()
.ForMember(dst => dst.User, opt => opt.MapFrom(src => src.OrganizationUser.User));
CreateMap<Core.SecretsManager.Entities.UserSecretAccessPolicy, UserSecretAccessPolicy>()
.ForMember(dst => dst.GrantedSecret, opt => opt.Ignore())
.ForMember(dst => dst.OrganizationUser, opt => opt.Ignore())
.ReverseMap()
.ForMember(dst => dst.User, opt => opt.MapFrom(src => src.OrganizationUser.User));
CreateMap<Core.SecretsManager.Entities.GroupProjectAccessPolicy, GroupProjectAccessPolicy>()
.ForMember(dst => dst.GrantedProject, opt => opt.Ignore())
.ForMember(dst => dst.Group, opt => opt.Ignore())
@ -34,10 +40,20 @@ public class AccessPolicyMapperProfile : Profile
.ForMember(dst => dst.Group, opt => opt.Ignore())
.ReverseMap();
CreateMap<Core.SecretsManager.Entities.GroupSecretAccessPolicy, GroupSecretAccessPolicy>()
.ForMember(dst => dst.GrantedSecret, opt => opt.Ignore())
.ForMember(dst => dst.Group, opt => opt.Ignore())
.ReverseMap();
CreateMap<Core.SecretsManager.Entities.ServiceAccountProjectAccessPolicy, ServiceAccountProjectAccessPolicy>()
.ForMember(dst => dst.GrantedProject, opt => opt.Ignore())
.ForMember(dst => dst.ServiceAccount, opt => opt.Ignore())
.ReverseMap();
CreateMap<Core.SecretsManager.Entities.ServiceAccountSecretAccessPolicy, ServiceAccountSecretAccessPolicy>()
.ForMember(dst => dst.GrantedSecret, opt => opt.Ignore())
.ForMember(dst => dst.ServiceAccount, opt => opt.Ignore())
.ReverseMap();
}
}
@ -61,6 +77,14 @@ public class UserServiceAccountAccessPolicy : AccessPolicy
public virtual ServiceAccount GrantedServiceAccount { get; set; }
}
public class UserSecretAccessPolicy : AccessPolicy
{
public Guid? OrganizationUserId { get; set; }
public virtual OrganizationUser OrganizationUser { get; set; }
public Guid? GrantedSecretId { get; set; }
public virtual Secret GrantedSecret { get; set; }
}
public class GroupProjectAccessPolicy : AccessPolicy
{
public Guid? GroupId { get; set; }
@ -77,6 +101,14 @@ public class GroupServiceAccountAccessPolicy : AccessPolicy
public virtual ServiceAccount GrantedServiceAccount { get; set; }
}
public class GroupSecretAccessPolicy : AccessPolicy
{
public Guid? GroupId { get; set; }
public virtual Group Group { get; set; }
public Guid? GrantedSecretId { get; set; }
public virtual Secret GrantedSecret { get; set; }
}
public class ServiceAccountProjectAccessPolicy : AccessPolicy
{
public Guid? ServiceAccountId { get; set; }
@ -84,3 +116,12 @@ public class ServiceAccountProjectAccessPolicy : AccessPolicy
public Guid? GrantedProjectId { get; set; }
public virtual Project GrantedProject { get; set; }
}
public class ServiceAccountSecretAccessPolicy : AccessPolicy
{
public Guid? ServiceAccountId { get; set; }
public virtual ServiceAccount ServiceAccount { get; set; }
public Guid? GrantedSecretId { get; set; }
public virtual Secret GrantedSecret { get; set; }
}

5
src/Infrastructure.EntityFramework/SecretsManager/Models/Secret.cs
View File

@ -5,8 +5,11 @@ namespace Bit.Infrastructure.EntityFramework.SecretsManager.Models;
public class Secret : Core.SecretsManager.Entities.Secret
{
public virtual new ICollection<Project> Projects { get; set; }
public new virtual ICollection<Project> Projects { get; set; }
public virtual Organization Organization { get; set; }
public virtual ICollection<UserSecretAccessPolicy> UserAccessPolicies { get; set; }
public virtual ICollection<GroupSecretAccessPolicy> GroupAccessPolicies { get; set; }
public virtual ICollection<ServiceAccountSecretAccessPolicy> ServiceAccountAccessPolicies { get; set; }
}
public class SecretMapperProfile : Profile

50
src/Sql/SecretsManager/dbo/Tables/AccessPolicy.sql
View File

@ -1,34 +1,40 @@
CREATE TABLE [AccessPolicy] (
[Id] UNIQUEIDENTIFIER NOT NULL,
[Discriminator] NVARCHAR(50) NOT NULL,
[OrganizationUserId] UNIQUEIDENTIFIER NULL,
[GroupId] UNIQUEIDENTIFIER NULL,
[ServiceAccountId] UNIQUEIDENTIFIER NULL,
[GrantedProjectId] UNIQUEIDENTIFIER NULL,
CREATE TABLE [dbo].[AccessPolicy]
(
[Id] UNIQUEIDENTIFIER NOT NULL,
[Discriminator] NVARCHAR (50) NOT NULL,
[OrganizationUserId] UNIQUEIDENTIFIER NULL,
[GroupId] UNIQUEIDENTIFIER NULL,
[ServiceAccountId] UNIQUEIDENTIFIER NULL,
[GrantedProjectId] UNIQUEIDENTIFIER NULL,
[GrantedServiceAccountId] UNIQUEIDENTIFIER NULL,
[Read] BIT NOT NULL,
[Write] BIT NOT NULL,
[CreationDate] DATETIME2 NOT NULL,
[RevisionDate] DATETIME2 NOT NULL,
CONSTRAINT [PK_AccessPolicy] PRIMARY KEY CLUSTERED ([Id]),
CONSTRAINT [FK_AccessPolicy_Group_GroupId] FOREIGN KEY ([GroupId]) REFERENCES [Group] ([Id]) ON DELETE CASCADE,
CONSTRAINT [FK_AccessPolicy_OrganizationUser_OrganizationUserId] FOREIGN KEY ([OrganizationUserId]) REFERENCES [OrganizationUser] ([Id]),
CONSTRAINT [FK_AccessPolicy_Project_GrantedProjectId] FOREIGN KEY ([GrantedProjectId]) REFERENCES [Project] ([Id]) ON DELETE CASCADE,
CONSTRAINT [FK_AccessPolicy_ServiceAccount_GrantedServiceAccountId] FOREIGN KEY ([GrantedServiceAccountId]) REFERENCES [ServiceAccount] ([Id]),
CONSTRAINT [FK_AccessPolicy_ServiceAccount_ServiceAccountId] FOREIGN KEY ([ServiceAccountId]) REFERENCES [ServiceAccount] ([Id])
[Read] BIT NOT NULL,
[Write] BIT NOT NULL,
[CreationDate] DATETIME2 NOT NULL,
[RevisionDate] DATETIME2 NOT NULL,
[GrantedSecretId] UNIQUEIDENTIFIER NULL,
CONSTRAINT [PK_AccessPolicy] PRIMARY KEY CLUSTERED ([Id] ASC),
CONSTRAINT [FK_AccessPolicy_Group_GroupId] FOREIGN KEY ([GroupId]) REFERENCES [dbo].[Group] ([Id]) ON DELETE CASCADE,
CONSTRAINT [FK_AccessPolicy_OrganizationUser_OrganizationUserId] FOREIGN KEY ([OrganizationUserId]) REFERENCES [dbo].[OrganizationUser] ([Id]),
CONSTRAINT [FK_AccessPolicy_Project_GrantedProjectId] FOREIGN KEY ([GrantedProjectId]) REFERENCES [dbo].[Project] ([Id]) ON DELETE CASCADE,
CONSTRAINT [FK_AccessPolicy_ServiceAccount_GrantedServiceAccountId] FOREIGN KEY ([GrantedServiceAccountId]) REFERENCES [dbo].[ServiceAccount] ([Id]),
CONSTRAINT [FK_AccessPolicy_ServiceAccount_ServiceAccountId] FOREIGN KEY ([ServiceAccountId]) REFERENCES [dbo].[ServiceAccount] ([Id]),
CONSTRAINT [FK_AccessPolicy_Secret_GrantedSecretId] FOREIGN KEY ([GrantedSecretId]) REFERENCES [dbo].[Secret] ([Id]) ON DELETE CASCADE
);
GO
CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GroupId] ON [AccessPolicy] ([GroupId]);
CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GroupId] ON [dbo].[AccessPolicy]([GroupId] ASC);
GO
CREATE NONCLUSTERED INDEX [IX_AccessPolicy_OrganizationUserId] ON [AccessPolicy] ([OrganizationUserId]);
CREATE NONCLUSTERED INDEX [IX_AccessPolicy_OrganizationUserId] ON [dbo].[AccessPolicy]([OrganizationUserId] ASC);
GO
CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GrantedProjectId] ON [AccessPolicy] ([GrantedProjectId]);
CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GrantedProjectId] ON [dbo].[AccessPolicy]([GrantedProjectId] ASC);
GO
CREATE NONCLUSTERED INDEX [IX_AccessPolicy_ServiceAccountId] ON [AccessPolicy] ([ServiceAccountId]);
CREATE NONCLUSTERED INDEX [IX_AccessPolicy_ServiceAccountId] ON [dbo].[AccessPolicy]([ServiceAccountId] ASC);
GO
CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GrantedServiceAccountId] ON [AccessPolicy] ([GrantedServiceAccountId]);
CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GrantedServiceAccountId] ON [dbo].[AccessPolicy]([GrantedServiceAccountId] ASC);
GO
CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GrantedSecretId] ON [dbo].[AccessPolicy]([GrantedSecretId] ASC);