[SM-394] Secrets Manager (#2164)

Long lived feature branch for Secrets Manager

Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com>
Co-authored-by: cd-bitwarden <106776772+cd-bitwarden@users.noreply.github.com>
Co-authored-by: CarleyDiaz-Bitwarden <103955722+CarleyDiaz-Bitwarden@users.noreply.github.com>
Co-authored-by: Thomas Avery <tavery@bitwarden.com>
Co-authored-by: Colton Hurst <colton@coltonhurst.com>

src/Sql/Sql.sqlproj

@@ -73,6 +73,9 @@
     <Build Include="dbo\Functions\PolicyApplicableToUser.sql" />
     <Build Include="dbo\Functions\UserCipherDetails.sql" />
     <Build Include="dbo\Functions\UserCollectionDetails.sql" />
+    <Build Include="dbo\Stored Procedures\ApiKey\ApiKeyDetails_ReadById.sql" />
+    <Build Include="dbo\Stored Procedures\ApiKey\ApiKey_Create.sql" />
+    <Build Include="dbo\Stored Procedures\ApiKey\ApiKey_ReadByServiceAccountId.sql" />
     <Build Include="dbo\Stored Procedures\AuthRequest_Create.sql" />
     <Build Include="dbo\Stored Procedures\AuthRequest_DeleteById.sql" />
     <Build Include="dbo\Stored Procedures\AuthRequest_DeleteIfExpired.sql" />
@@ -350,6 +353,8 @@
     <Build Include="dbo\Stored Procedures\User_UpdateKeys.sql" />
     <Build Include="dbo\Stored Procedures\User_UpdateRenewalReminderDate.sql" />
     <Build Include="dbo\Stored Procedures\User_UpdateStorage.sql" />
+    <Build Include="dbo\Tables\AccessPolicy.sql" />
+    <Build Include="dbo\Tables\ApiKey.sql" />
     <Build Include="dbo\Tables\AuthRequest.sql" />
     <Build Include="dbo\Tables\Cipher.sql" />
     <Build Include="dbo\Tables\Collection.sql" />
@@ -370,10 +375,14 @@
     <Build Include="dbo\Tables\OrganizationSponsorship.sql" />
     <Build Include="dbo\Tables\OrganizationUser.sql" />
     <Build Include="dbo\Tables\Policy.sql" />
+    <Build Include="dbo\Tables\Project.sql" />
+    <Build Include="dbo\Tables\ProjectSecret.sql" />
     <Build Include="dbo\Tables\Provider.sql" />
     <Build Include="dbo\Tables\ProviderOrganization.sql" />
     <Build Include="dbo\Tables\ProviderUser.sql" />
+    <Build Include="dbo\Tables\Secret.sql" />
     <Build Include="dbo\Tables\Send.sql" />
+    <Build Include="dbo\Tables\ServiceAccount.sql" />
     <Build Include="dbo\Tables\SsoConfig.sql" />
     <Build Include="dbo\Tables\SsoUser.sql" />
     <Build Include="dbo\Tables\TaxRate.sql" />
@@ -385,6 +394,8 @@
     <Build Include="dbo\User Defined Types\OrganizationUserType.sql" />
     <Build Include="dbo\User Defined Types\SelectionReadOnlyArray.sql" />
     <Build Include="dbo\User Defined Types\TwoGuidIdArray.sql" />
+    <Build Include="dbo\Views\ApiKeyDetailsView.sql" />
+    <Build Include="dbo\Views\ApiKeyView.sql" />
     <Build Include="dbo\Views\AuthRequestView.sql" />
     <Build Include="dbo\Views\CipherView.sql" />
     <Build Include="dbo\Views\CollectionView.sql" />

src/Sql/dbo/Stored Procedures/ApiKey/ApiKeyDetails_ReadById.sql

@@ -0,0 +1,13 @@
+CREATE PROCEDURE [dbo].[ApiKeyDetails_ReadById]
+    @Id UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        *
+    FROM
+        [dbo].[ApiKeyDetailsView]
+    WHERE
+        [Id] = @Id
+END

src/Sql/dbo/Stored Procedures/ApiKey/ApiKey_Create.sql

@@ -0,0 +1,42 @@
+CREATE PROCEDURE [dbo].[ApiKey_Create]
+    @Id UNIQUEIDENTIFIER OUTPUT,
+    @ServiceAccountId UNIQUEIDENTIFIER,
+    @Name VARCHAR(200),
+    @ClientSecret VARCHAR(30),
+    @Scope NVARCHAR(4000),
+    @EncryptedPayload NVARCHAR(4000),
+    @Key VARCHAR(MAX),
+    @ExpireAt DATETIME2(7),
+    @CreationDate DATETIME2(7),
+    @RevisionDate DATETIME2(7)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    INSERT INTO [dbo].[ApiKey] 
+    (
+        [Id],
+        [ServiceAccountId],
+        [Name],
+        [ClientSecret],
+        [Scope],
+        [EncryptedPayload],
+        [Key],
+        [ExpireAt],
+        [CreationDate],
+        [RevisionDate]
+    )
+    VALUES 
+    (
+        @Id,
+        @ServiceAccountId,
+        @Name,
+        @ClientSecret,
+        @Scope,
+        @EncryptedPayload,
+        @Key,
+        @ExpireAt,
+        @CreationDate,
+        @RevisionDate
+    )
+END

src/Sql/dbo/Stored Procedures/ApiKey/ApiKey_ReadByServiceAccountId.sql

@@ -0,0 +1,13 @@
+CREATE PROCEDURE [dbo].[ApiKey_ReadByServiceAccountId]
+    @ServiceAccountId UNIQUEIDENTIFIER
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    SELECT
+        *
+    FROM
+        [dbo].[ApiKeyView]
+    WHERE
+        [ServiceAccountId] = @ServiceAccountId
+END

src/Sql/dbo/Stored Procedures/OrganizationUser_DeleteById.sql

@@ -3,9 +3,9 @@
 AS
 BEGIN
     SET NOCOUNT ON
-    
+
     EXEC [dbo].[User_BumpAccountRevisionDateByOrganizationUserId] @Id
-    
+
     DECLARE @OrganizationId UNIQUEIDENTIFIER
     DECLARE @UserId UNIQUEIDENTIFIER
 
@@ -34,6 +34,12 @@ BEGIN
     WHERE
         [OrganizationUserId] = @Id
 
+    DELETE
+    FROM
+        [dbo].[AccessPolicy]
+    WHERE
+        [OrganizationUserId] = @Id
+
     EXEC [dbo].[OrganizationSponsorship_OrganizationUserDeleted] @Id
 
     DELETE

src/Sql/dbo/Stored Procedures/Organization_Create.sql

@@ -42,7 +42,8 @@
     @MaxAutoscaleSeats INT,
     @UseKeyConnector BIT = 0,
     @UseScim BIT = 0,
-    @UseCustomPermissions BIT = 0
+    @UseCustomPermissions BIT = 0,
+    @UseSecretsManager BIT = 0
 AS
 BEGIN
     SET NOCOUNT ON
@@ -92,7 +93,8 @@ BEGIN
         [MaxAutoscaleSeats],
         [UseKeyConnector],
         [UseScim],
-        [UseCustomPermissions]
+        [UseCustomPermissions],
+        [UseSecretsManager]
     )
     VALUES
     (
@@ -139,6 +141,7 @@ BEGIN
         @MaxAutoscaleSeats,
         @UseKeyConnector,
         @UseScim,
-        @UseCustomPermissions
+        @UseCustomPermissions,
+        @UseSecretsManager
     )
 END

src/Sql/dbo/Stored Procedures/Organization_DeleteById.sql

@@ -61,6 +61,32 @@ BEGIN
     EXEC [dbo].[OrganizationConnection_OrganizationDeleted] @Id
     EXEC [dbo].[OrganizationSponsorship_OrganizationDeleted] @Id
 
+    DELETE
+    FROM
+        [dbo].[Project]
+    WHERE
+        [OrganizationId] = @Id
+
+    DELETE
+    FROM
+        [dbo].[Secret]
+    WHERE
+        [OrganizationId] = @Id
+
+    DELETE AK
+    FROM
+        [dbo].[ApiKey] AK
+    INNER JOIN
+        [dbo].[ServiceAccount] SA ON [AK].[ServiceAccountId] = [SA].[Id]
+    WHERE
+        [SA].[OrganizationId] = @Id
+
+    DELETE
+    FROM
+        [dbo].[ServiceAccount]
+    WHERE
+        [OrganizationId] = @Id
+
     DELETE
     FROM
         [dbo].[Organization]

src/Sql/dbo/Stored Procedures/Organization_Update.sql

@@ -42,7 +42,8 @@
     @MaxAutoscaleSeats INT,
     @UseKeyConnector BIT = 0,
     @UseScim BIT = 0,
-    @UseCustomPermissions BIT = 0
+    @UseCustomPermissions BIT = 0,
+    @UseSecretsManager BIT = 0
 AS
 BEGIN
     SET NOCOUNT ON
@@ -92,7 +93,8 @@ BEGIN
         [MaxAutoscaleSeats] = @MaxAutoscaleSeats,
         [UseKeyConnector] = @UseKeyConnector,
         [UseScim] = @UseScim,
-        [UseCustomPermissions] = @UseCustomPermissions
+        [UseCustomPermissions] = @UseCustomPermissions,
+        [UseSecretsManager] = @UseSecretsManager
     WHERE
         [Id] = @Id
 END

src/Sql/dbo/Stored Procedures/User_DeleteById.sql

@@ -58,6 +58,16 @@ BEGIN
     WHERE
         OU.[UserId] = @Id
 
+    -- Delete AccessPolicy
+    DELETE
+        AP
+    FROM
+        [dbo].[AccessPolicy] AP
+    INNER JOIN
+        [dbo].[OrganizationUser] OU ON OU.[Id] = AP.[OrganizationUserId]
+    WHERE
+        [UserId] = @Id
+
     -- Delete organization users
     DELETE
     FROM

src/Sql/dbo/Tables/AccessPolicy.sql

@@ -0,0 +1,34 @@
+CREATE TABLE [AccessPolicy] (
+    [Id]                      UNIQUEIDENTIFIER NOT NULL,
+    [Discriminator]           NVARCHAR(50)     NOT NULL,
+    [OrganizationUserId]      UNIQUEIDENTIFIER NULL,
+    [GroupId]                 UNIQUEIDENTIFIER NULL,
+    [ServiceAccountId]        UNIQUEIDENTIFIER NULL,
+    [GrantedProjectId]        UNIQUEIDENTIFIER NULL,
+    [GrantedServiceAccountId] UNIQUEIDENTIFIER NULL,
+    [Read]                    BIT NOT NULL,
+    [Write]                   BIT NOT NULL,
+    [CreationDate]            DATETIME2 NOT NULL,
+    [RevisionDate]            DATETIME2 NOT NULL,
+    CONSTRAINT [PK_AccessPolicy] PRIMARY KEY CLUSTERED ([Id]),
+    CONSTRAINT [FK_AccessPolicy_Group_GroupId] FOREIGN KEY ([GroupId]) REFERENCES [Group] ([Id]) ON DELETE CASCADE,
+    CONSTRAINT [FK_AccessPolicy_OrganizationUser_OrganizationUserId] FOREIGN KEY ([OrganizationUserId]) REFERENCES [OrganizationUser] ([Id]),
+    CONSTRAINT [FK_AccessPolicy_Project_GrantedProjectId] FOREIGN KEY ([GrantedProjectId]) REFERENCES [Project] ([Id]) ON DELETE CASCADE,
+    CONSTRAINT [FK_AccessPolicy_ServiceAccount_GrantedServiceAccountId] FOREIGN KEY ([GrantedServiceAccountId]) REFERENCES [ServiceAccount] ([Id]),
+    CONSTRAINT [FK_AccessPolicy_ServiceAccount_ServiceAccountId] FOREIGN KEY ([ServiceAccountId]) REFERENCES [ServiceAccount] ([Id])
+);
+
+GO
+CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GroupId] ON [AccessPolicy] ([GroupId]);
+
+GO
+CREATE NONCLUSTERED INDEX [IX_AccessPolicy_OrganizationUserId] ON [AccessPolicy] ([OrganizationUserId]);
+
+GO
+CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GrantedProjectId] ON [AccessPolicy] ([GrantedProjectId]);
+
+GO
+CREATE NONCLUSTERED INDEX [IX_AccessPolicy_ServiceAccountId] ON [AccessPolicy] ([ServiceAccountId]);
+
+GO
+CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GrantedServiceAccountId] ON [AccessPolicy] ([GrantedServiceAccountId]);

src/Sql/dbo/Tables/ApiKey.sql

@@ -0,0 +1,18 @@
+CREATE TABLE [dbo].[ApiKey] (
+    [Id]               UNIQUEIDENTIFIER,
+    [ServiceAccountId] UNIQUEIDENTIFIER NULL,
+    [Name]             VARCHAR(200) NOT NULL,
+    [ClientSecret]     VARCHAR(30) NOT NULL,
+    [Scope]            NVARCHAR (4000) NOT NULL,
+    [EncryptedPayload] NVARCHAR (4000) NOT NULL,
+    [Key]              VARCHAR (MAX) NOT NULL,
+    [ExpireAt]         DATETIME2(7) NULL,
+    [CreationDate]     DATETIME2(7) NOT NULL,
+    [RevisionDate]     DATETIME2(7) NOT NULL,
+    CONSTRAINT [PK_ApiKey] PRIMARY KEY CLUSTERED ([Id] ASC),
+    CONSTRAINT [FK_ApiKey_ServiceAccountId] FOREIGN KEY ([ServiceAccountId]) REFERENCES [dbo].[ServiceAccount] ([Id])
+);
+
+GO
+CREATE NONCLUSTERED INDEX [IX_ApiKey_ServiceAccountId]
+    ON [dbo].[ApiKey]([ServiceAccountId] ASC);

src/Sql/dbo/Tables/Organization.sql

@@ -43,6 +43,7 @@
     [UseKeyConnector]               BIT              NOT NULL,
     [UseScim]                       BIT              NOT NULL CONSTRAINT [DF_Organization_UseScim] DEFAULT (0),
     [UseCustomPermissions]          BIT              NOT NULL CONSTRAINT [DF_Organization_UseCustomPermissions] DEFAULT (0),
+    [UseSecretsManager]             BIT              NOT NULL CONSTRAINT [DF_Organization_UseSecretsManager] DEFAULT (0),
     CONSTRAINT [PK_Organization] PRIMARY KEY CLUSTERED ([Id] ASC)
 );
 

src/Sql/dbo/Tables/Project.sql

@@ -0,0 +1,16 @@
+CREATE TABLE [dbo].[Project] (
+    [Id]                UNIQUEIDENTIFIER NOT NULL,
+    [OrganizationId]    UNIQUEIDENTIFIER NOT NULL,
+    [Name]              NVARCHAR(MAX) NULL, 
+    [CreationDate]      DATETIME2 (7),
+    [RevisionDate]      DATETIME2 (7), 
+    [DeletedDate]       DATETIME2 (7) NULL,
+    CONSTRAINT [PK_Project] PRIMARY KEY CLUSTERED ([Id] ASC),
+    CONSTRAINT [FK_Project_Organization] FOREIGN KEY ([OrganizationId]) REFERENCES [dbo].[Organization] ([Id])
+);
+
+GO
+CREATE NONCLUSTERED INDEX [IX_Project_OrganizationId] ON [dbo].[Project] ([OrganizationId] ASC);
+
+GO
+CREATE NONCLUSTERED INDEX [IX_Project_DeletedDate] ON [dbo].[Project] ([DeletedDate] ASC);

src/Sql/dbo/Tables/ProjectSecret.sql

@@ -0,0 +1,10 @@
+CREATE TABLE [dbo].[ProjectSecret] (
+    [ProjectsId] uniqueidentifier NOT NULL,
+    [SecretsId] uniqueidentifier NOT NULL,
+    CONSTRAINT [PK_ProjectSecret] PRIMARY KEY ([ProjectsId], [SecretsId]),
+    CONSTRAINT [FK_ProjectSecret_Project_ProjectsId] FOREIGN KEY ([ProjectsId]) REFERENCES [Project] ([Id]) ON DELETE CASCADE,
+    CONSTRAINT [FK_ProjectSecret_Secret_SecretsId] FOREIGN KEY ([SecretsId]) REFERENCES [Secret] ([Id]) ON DELETE CASCADE
+);
+
+GO
+CREATE NONCLUSTERED INDEX [IX_ProjectSecret_SecretsId] ON [ProjectSecret] ([SecretsId]);

src/Sql/dbo/Tables/Secret.sql

@@ -0,0 +1,19 @@
+CREATE TABLE [dbo].[Secret]
+(
+    [Id] UNIQUEIDENTIFIER NOT NULL,
+    [OrganizationId] UNIQUEIDENTIFIER NOT NULL,
+    [Key] NVARCHAR(MAX) NULL,
+    [Value] NVARCHAR(MAX) NULL,
+    [Note] NVARCHAR(MAX) NULL,
+    [CreationDate] DATETIME2(7) NOT NULL,
+    [RevisionDate] DATETIME2(7) NOT NULL,
+    [DeletedDate] DATETIME2(7) NULL,
+    CONSTRAINT [PK_Secret] PRIMARY KEY CLUSTERED ([Id] ASC),
+    CONSTRAINT [FK_Secret_OrganizationId] FOREIGN KEY ([OrganizationId]) REFERENCES [dbo].[Organization]([Id])
+);
+
+GO
+CREATE NONCLUSTERED INDEX [IX_Secret_OrganizationId] ON [dbo].[Secret] ([OrganizationId] ASC);
+
+GO
+CREATE NONCLUSTERED INDEX [IX_Secret_DeletedDate] ON [dbo].[Secret] ([DeletedDate] ASC);

src/Sql/dbo/Tables/ServiceAccount.sql

@@ -0,0 +1,13 @@
+CREATE TABLE [dbo].[ServiceAccount]
+(
+    [Id] UNIQUEIDENTIFIER NOT NULL,
+    [OrganizationId] UNIQUEIDENTIFIER NOT NULL,
+    [Name] NVARCHAR(MAX) NULL,
+    [CreationDate] DATETIME2(7) NOT NULL,
+    [RevisionDate] DATETIME2(7) NOT NULL,
+    CONSTRAINT [PK_ServiceAccount] PRIMARY KEY CLUSTERED ([Id] ASC),
+    CONSTRAINT [FK_ServiceAccount_OrganizationId] FOREIGN KEY ([OrganizationId]) REFERENCES [dbo].[Organization]([Id])
+);
+
+GO
+CREATE NONCLUSTERED INDEX [IX_ServiceAccount_OrganizationId] ON [dbo].[ServiceAccount] ([OrganizationId] ASC);

src/Sql/dbo/Views/ApiKeyDetailsView.sql

@@ -0,0 +1,9 @@
+CREATE VIEW [dbo].[ApiKeyDetailsView]
+AS
+SELECT
+    AK.*,
+    SA.[OrganizationId] ServiceAccountOrganizationId
+FROM
+    [dbo].[ApiKey] AS AK
+LEFT JOIN
+    [dbo].[ServiceAccount] SA ON SA.[Id] = AK.[ServiceAccountId]

src/Sql/dbo/Views/ApiKeyView.sql

@@ -0,0 +1,6 @@
+CREATE VIEW [dbo].[ApiKeyView]
+AS
+SELECT
+    *
+FROM
+    [dbo].[ApiKey]

src/Sql/dbo/Views/OrganizationUserOrganizationDetailsView.sql

@@ -20,6 +20,7 @@ SELECT
     O.[SelfHost],
     O.[UsersGetPremium],
     O.[UseCustomPermissions],
+    O.[UseSecretsManager],
     O.[Seats],
     O.[MaxCollections],
     O.[MaxStorageGb],