mirror of
https://github.com/bitwarden/server.git
synced 2025-07-17 23:50:58 -05:00
[SM-713] Add database support for secret access policies (#3681)
* mssql add column and migration * Add secret access policies to EF models and config * Clear new access policies on service account delete * Add SM cleanup code on delete * Fix EF org user bulk delete * Run EF migrations
This commit is contained in:
Thomas Avery
@ -13,9 +13,12 @@ public class AccessPolicyEntityTypeConfiguration : IEntityTypeConfiguration<Acce
|
||||
.HasDiscriminator<string>("Discriminator")
|
||||
.HasValue<UserProjectAccessPolicy>(AccessPolicyDiscriminator.UserProject)
|
||||
.HasValue<UserServiceAccountAccessPolicy>(AccessPolicyDiscriminator.UserServiceAccount)
|
||||
.HasValue<UserSecretAccessPolicy>(AccessPolicyDiscriminator.UserSecret)
|
||||
.HasValue<GroupProjectAccessPolicy>(AccessPolicyDiscriminator.GroupProject)
|
||||
.HasValue<GroupServiceAccountAccessPolicy>(AccessPolicyDiscriminator.GroupServiceAccount)
|
||||
.HasValue<ServiceAccountProjectAccessPolicy>(AccessPolicyDiscriminator.ServiceAccountProject);
|
||||
.HasValue<GroupSecretAccessPolicy>(AccessPolicyDiscriminator.GroupSecret)
|
||||
.HasValue<ServiceAccountProjectAccessPolicy>(AccessPolicyDiscriminator.ServiceAccountProject)
|
||||
.HasValue<ServiceAccountSecretAccessPolicy>(AccessPolicyDiscriminator.ServiceAccountSecret);
|
||||
|
||||
builder
|
||||
.Property(s => s.Id)
|
||||
@ -63,6 +66,26 @@ public class UserServiceAccountAccessPolicyEntityTypeConfiguration : IEntityType
|
||||
}
|
||||
}
|
||||
|
||||
public class UserSecretAccessPolicyEntityTypeConfiguration : IEntityTypeConfiguration<UserSecretAccessPolicy>
|
||||
{
|
||||
public void Configure(EntityTypeBuilder<UserSecretAccessPolicy> builder)
|
||||
{
|
||||
builder
|
||||
.Property(e => e.OrganizationUserId)
|
||||
.HasColumnName(nameof(UserSecretAccessPolicy.OrganizationUserId));
|
||||
|
||||
builder
|
||||
.Property(e => e.GrantedSecretId)
|
||||
.HasColumnName(nameof(UserSecretAccessPolicy.GrantedSecretId));
|
||||
|
||||
builder
|
||||
.HasOne(e => e.GrantedSecret)
|
||||
.WithMany(e => e.UserAccessPolicies)
|
||||
.HasForeignKey(nameof(UserSecretAccessPolicy.GrantedSecretId))
|
||||
.OnDelete(DeleteBehavior.Cascade);
|
||||
}
|
||||
}
|
||||
|
||||
public class GroupProjectAccessPolicyEntityTypeConfiguration : IEntityTypeConfiguration<GroupProjectAccessPolicy>
|
||||
{
|
||||
public void Configure(EntityTypeBuilder<GroupProjectAccessPolicy> builder)
|
||||
@ -109,6 +132,32 @@ public class GroupServiceAccountAccessPolicyEntityTypeConfiguration : IEntityTyp
|
||||
}
|
||||
}
|
||||
|
||||
public class GroupSecretAccessPolicyEntityTypeConfiguration : IEntityTypeConfiguration<GroupSecretAccessPolicy>
|
||||
{
|
||||
public void Configure(EntityTypeBuilder<GroupSecretAccessPolicy> builder)
|
||||
{
|
||||
builder
|
||||
.Property(e => e.GroupId)
|
||||
.HasColumnName(nameof(GroupSecretAccessPolicy.GroupId));
|
||||
|
||||
builder
|
||||
.Property(e => e.GrantedSecretId)
|
||||
.HasColumnName(nameof(GroupSecretAccessPolicy.GrantedSecretId));
|
||||
|
||||
builder
|
||||
.HasOne(e => e.GrantedSecret)
|
||||
.WithMany(e => e.GroupAccessPolicies)
|
||||
.HasForeignKey(nameof(GroupSecretAccessPolicy.GrantedSecretId))
|
||||
.OnDelete(DeleteBehavior.Cascade);
|
||||
|
||||
builder
|
||||
.HasOne(e => e.Group)
|
||||
.WithMany()
|
||||
.HasForeignKey(nameof(GroupSecretAccessPolicy.GroupId))
|
||||
.OnDelete(DeleteBehavior.Cascade);
|
||||
}
|
||||
}
|
||||
|
||||
public class ServiceAccountProjectAccessPolicyEntityTypeConfiguration : IEntityTypeConfiguration<ServiceAccountProjectAccessPolicy>
|
||||
{
|
||||
public void Configure(EntityTypeBuilder<ServiceAccountProjectAccessPolicy> builder)
|
||||
@ -128,3 +177,23 @@ public class ServiceAccountProjectAccessPolicyEntityTypeConfiguration : IEntityT
|
||||
.OnDelete(DeleteBehavior.Cascade);
|
||||
}
|
||||
}
|
||||
|
||||
public class ServiceAccountSecretAccessPolicyEntityTypeConfiguration : IEntityTypeConfiguration<ServiceAccountSecretAccessPolicy>
|
||||
{
|
||||
public void Configure(EntityTypeBuilder<ServiceAccountSecretAccessPolicy> builder)
|
||||
{
|
||||
builder
|
||||
.Property(e => e.ServiceAccountId)
|
||||
.HasColumnName(nameof(ServiceAccountSecretAccessPolicy.ServiceAccountId));
|
||||
|
||||
builder
|
||||
.Property(e => e.GrantedSecretId)
|
||||
.HasColumnName(nameof(ServiceAccountSecretAccessPolicy.GrantedSecretId));
|
||||
|
||||
builder
|
||||
.HasOne(e => e.GrantedSecret)
|
||||
.WithMany(e => e.ServiceAccountAccessPolicies)
|
||||
.HasForeignKey(nameof(ServiceAccountSecretAccessPolicy.GrantedSecretId))
|
||||
.OnDelete(DeleteBehavior.Cascade);
|
||||
}
|
||||
}
|
||||
|
||||
@ -4,8 +4,10 @@ public static class AccessPolicyDiscriminator
|
||||
{
|
||||
public const string UserProject = "user_project";
|
||||
public const string UserServiceAccount = "user_service_account";
|
||||
public const string UserSecret = "user_secret";
|
||||
public const string GroupProject = "group_project";
|
||||
public const string GroupServiceAccount = "group_service_account";
|
||||
public const string GroupSecret = "group_secret";
|
||||
public const string ServiceAccountProject = "service_account_project";
|
||||
|
||||
public const string ServiceAccountSecret = "service_account_secret";
|
||||
}
|
||||
|
||||
@ -24,6 +24,12 @@ public class AccessPolicyMapperProfile : Profile
|
||||
.ReverseMap()
|
||||
.ForMember(dst => dst.User, opt => opt.MapFrom(src => src.OrganizationUser.User));
|
||||
|
||||
CreateMap<Core.SecretsManager.Entities.UserSecretAccessPolicy, UserSecretAccessPolicy>()
|
||||
.ForMember(dst => dst.GrantedSecret, opt => opt.Ignore())
|
||||
.ForMember(dst => dst.OrganizationUser, opt => opt.Ignore())
|
||||
.ReverseMap()
|
||||
.ForMember(dst => dst.User, opt => opt.MapFrom(src => src.OrganizationUser.User));
|
||||
|
||||
CreateMap<Core.SecretsManager.Entities.GroupProjectAccessPolicy, GroupProjectAccessPolicy>()
|
||||
.ForMember(dst => dst.GrantedProject, opt => opt.Ignore())
|
||||
.ForMember(dst => dst.Group, opt => opt.Ignore())
|
||||
@ -34,10 +40,20 @@ public class AccessPolicyMapperProfile : Profile
|
||||
.ForMember(dst => dst.Group, opt => opt.Ignore())
|
||||
.ReverseMap();
|
||||
|
||||
CreateMap<Core.SecretsManager.Entities.GroupSecretAccessPolicy, GroupSecretAccessPolicy>()
|
||||
.ForMember(dst => dst.GrantedSecret, opt => opt.Ignore())
|
||||
.ForMember(dst => dst.Group, opt => opt.Ignore())
|
||||
.ReverseMap();
|
||||
|
||||
CreateMap<Core.SecretsManager.Entities.ServiceAccountProjectAccessPolicy, ServiceAccountProjectAccessPolicy>()
|
||||
.ForMember(dst => dst.GrantedProject, opt => opt.Ignore())
|
||||
.ForMember(dst => dst.ServiceAccount, opt => opt.Ignore())
|
||||
.ReverseMap();
|
||||
|
||||
CreateMap<Core.SecretsManager.Entities.ServiceAccountSecretAccessPolicy, ServiceAccountSecretAccessPolicy>()
|
||||
.ForMember(dst => dst.GrantedSecret, opt => opt.Ignore())
|
||||
.ForMember(dst => dst.ServiceAccount, opt => opt.Ignore())
|
||||
.ReverseMap();
|
||||
}
|
||||
}
|
||||
|
||||
@ -61,6 +77,14 @@ public class UserServiceAccountAccessPolicy : AccessPolicy
|
||||
public virtual ServiceAccount GrantedServiceAccount { get; set; }
|
||||
}
|
||||
|
||||
public class UserSecretAccessPolicy : AccessPolicy
|
||||
{
|
||||
public Guid? OrganizationUserId { get; set; }
|
||||
public virtual OrganizationUser OrganizationUser { get; set; }
|
||||
public Guid? GrantedSecretId { get; set; }
|
||||
public virtual Secret GrantedSecret { get; set; }
|
||||
}
|
||||
|
||||
public class GroupProjectAccessPolicy : AccessPolicy
|
||||
{
|
||||
public Guid? GroupId { get; set; }
|
||||
@ -77,6 +101,14 @@ public class GroupServiceAccountAccessPolicy : AccessPolicy
|
||||
public virtual ServiceAccount GrantedServiceAccount { get; set; }
|
||||
}
|
||||
|
||||
public class GroupSecretAccessPolicy : AccessPolicy
|
||||
{
|
||||
public Guid? GroupId { get; set; }
|
||||
public virtual Group Group { get; set; }
|
||||
public Guid? GrantedSecretId { get; set; }
|
||||
public virtual Secret GrantedSecret { get; set; }
|
||||
}
|
||||
|
||||
public class ServiceAccountProjectAccessPolicy : AccessPolicy
|
||||
{
|
||||
public Guid? ServiceAccountId { get; set; }
|
||||
@ -84,3 +116,12 @@ public class ServiceAccountProjectAccessPolicy : AccessPolicy
|
||||
public Guid? GrantedProjectId { get; set; }
|
||||
public virtual Project GrantedProject { get; set; }
|
||||
}
|
||||
|
||||
public class ServiceAccountSecretAccessPolicy : AccessPolicy
|
||||
{
|
||||
public Guid? ServiceAccountId { get; set; }
|
||||
public virtual ServiceAccount ServiceAccount { get; set; }
|
||||
public Guid? GrantedSecretId { get; set; }
|
||||
public virtual Secret GrantedSecret { get; set; }
|
||||
}
|
||||
|
||||
|
||||
@ -5,8 +5,11 @@ namespace Bit.Infrastructure.EntityFramework.SecretsManager.Models;
|
||||
|
||||
public class Secret : Core.SecretsManager.Entities.Secret
|
||||
{
|
||||
public virtual new ICollection<Project> Projects { get; set; }
|
||||
public new virtual ICollection<Project> Projects { get; set; }
|
||||
public virtual Organization Organization { get; set; }
|
||||
public virtual ICollection<UserSecretAccessPolicy> UserAccessPolicies { get; set; }
|
||||
public virtual ICollection<GroupSecretAccessPolicy> GroupAccessPolicies { get; set; }
|
||||
public virtual ICollection<ServiceAccountSecretAccessPolicy> ServiceAccountAccessPolicies { get; set; }
|
||||
}
|
||||
|
||||
public class SecretMapperProfile : Profile
|
||||
|
||||
Reference in New Issue
Block a user