nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-07-01 16:12:49 -05:00
Code Activity

[AC-1139] Added an AuthorizationHandler for Collections and renamed existing to BulkCollectionAuthorizationHandler

Browse Source
This commit is contained in:
Rui Tome
2023-10-24 12:49:04 +01:00
parent f00dbf0052
commit 20fe2bcc5b
2 changed files with 85 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

106
src/Api/Vault/AuthorizationHandlers/Collections/CollectionAuthorizationHandler.cs
View File

@ -10,11 +10,84 @@ using Microsoft.AspNetCore.Authorization;
namespace Bit.Api.Vault.AuthorizationHandlers.Collections;
/// <summary>
/// Handles authorization logic for Collection operations.
/// This uses new logic implemented in the Flexible Collections initiative.
/// </summary>
public class CollectionAuthorizationHandler : AuthorizationHandler<CollectionOperationRequirement>
{
private readonly ICurrentContext _currentContext;
private readonly IFeatureService _featureService;
private bool FlexibleCollectionsIsEnabled => _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
public CollectionAuthorizationHandler(
ICurrentContext currentContext,
IFeatureService featureService)
{
_currentContext = currentContext;
_featureService = featureService;
}
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
CollectionOperationRequirement requirement)
{
if (!FlexibleCollectionsIsEnabled)
{
// Flexible collections is OFF, should not be using this handler
throw new FeatureUnavailableException("Flexible collections is OFF when it should be ON.");
}
if (!_currentContext.UserId.HasValue)
{
context.Fail();
return;
}
var targetOrganizationId = requirement.OrganizationId;
if (targetOrganizationId == default)
{
context.Fail();
return;
}
// Acting user is not a member of the target organization, fail
var org = _currentContext.GetOrganization(targetOrganizationId);
if (org == null)
{
context.Fail();
return;
}
switch (requirement)
{
case not null when requirement.Name == nameof(CollectionOperations.ReadAll):
await CanReadAllAsync(context, requirement, org);
break;
}
}
private async Task CanReadAllAsync(AuthorizationHandlerContext context, CollectionOperationRequirement requirement,
CurrentContextOrganization org)
{
if (org.Type is OrganizationUserType.Owner or OrganizationUserType.Admin ||
org.Permissions.ManageGroups ||
org.Permissions.ManageUsers ||
org.Permissions.EditAnyCollection ||
org.Permissions.DeleteAnyCollection ||
org.Permissions.AccessImportExport ||
await _currentContext.ProviderUserForOrgAsync(org.Id))
{
context.Succeed(requirement);
}
}
}
/// <summary>
/// Handles authorization logic for Collection objects, including access permissions for users and groups.
/// This uses new logic implemented in the Flexible Collections initiative.
/// </summary>
public class CollectionAuthorizationHandler : BulkAuthorizationHandler<CollectionOperationRequirement, Collection>
public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<CollectionOperationRequirement, Collection>
{
private readonly ICurrentContext _currentContext;
private readonly ICollectionRepository _collectionRepository;
@ -22,7 +95,9 @@ public class CollectionAuthorizationHandler : BulkAuthorizationHandler<Collectio
private bool FlexibleCollectionsIsEnabled => _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
public CollectionAuthorizationHandler(ICurrentContext currentContext, ICollectionRepository collectionRepository,
public BulkCollectionAuthorizationHandler(
ICurrentContext currentContext,
ICollectionRepository collectionRepository,
IFeatureService featureService)
{
_currentContext = currentContext;
@ -53,7 +128,13 @@ public class CollectionAuthorizationHandler : BulkAuthorizationHandler<Collectio
}
var targetOrganizationId = requirement.OrganizationId != default
? requirement.OrganizationId : resources.First().OrganizationId;
? requirement.OrganizationId : resources.FirstOrDefault()?.OrganizationId ?? default;
if (targetOrganizationId == default)
{
context.Fail();
return;
}
// Ensure all target collections belong to the same organization
if (resources.Any(tc => tc.OrganizationId != targetOrganizationId))
@ -79,10 +160,6 @@ public class CollectionAuthorizationHandler : BulkAuthorizationHandler<Collectio
await CanReadAsync(context, requirement, resources, org);
break;
case not null when requirement.Name == nameof(CollectionOperations.ReadAll):
await CanReadAllAsync(context, requirement, org);
break;
case not null when requirement == CollectionOperations.Delete:
await CanDeleteAsync(context, requirement, resources, org);
break;
@ -130,21 +207,6 @@ public class CollectionAuthorizationHandler : BulkAuthorizationHandler<Collectio
await CheckCollectionPermissionsAsync(context, requirement, targetCollections, org, requireManagePermission: false);
}
private async Task CanReadAllAsync(AuthorizationHandlerContext context, CollectionOperationRequirement requirement,
CurrentContextOrganization org)
{
if (org.Type is OrganizationUserType.Owner or OrganizationUserType.Admin ||
org.Permissions.ManageGroups ||
org.Permissions.ManageUsers ||
org.Permissions.EditAnyCollection ||
org.Permissions.DeleteAnyCollection ||
org.Permissions.AccessImportExport ||
await _currentContext.ProviderUserForOrgAsync(org.Id))
{
context.Succeed(requirement);
}
}
private async Task CanDeleteAsync(AuthorizationHandlerContext context, CollectionOperationRequirement requirement,
ICollection<Collection> targetCollections, CurrentContextOrganization org)
{

2
src/Api/Vault/AuthorizationHandlers/Collections/CollectionOperations.cs
View File

@ -4,7 +4,7 @@ namespace Bit.Api.Vault.AuthorizationHandlers.Collections;
public class CollectionOperationRequirement : OperationAuthorizationRequirement
{
public Guid OrganizationId { get; set; }
public Guid OrganizationId { get; init; }
public CollectionOperationRequirement() { }