nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-07-01 08:02:49 -05:00
Code Activity

[SM-705] Extract Authorization from Access Token Commands (#2928)

Browse Source 
* refactor authorization for access token commands

* Unit tests for authorization handler
This commit is contained in:
Thomas Avery
2023-06-13 15:30:44 -05:00
committed by GitHub
parent b7a40406af
commit 3449d28c83
8 changed files with 389 additions and 243 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
src/Api/SecretsManager/Controllers/ServiceAccountsController.cs
View File

@ -140,28 +140,12 @@ public class ServiceAccountsController : Controller
[HttpGet("{id}/access-tokens")]
public async Task<ListResponseModel<AccessTokenResponseModel>> GetAccessTokens([FromRoute] Guid id)
{
var userId = _userService.GetProperUserId(User).Value;
var serviceAccount = await _serviceAccountRepository.GetByIdAsync(id);
if (serviceAccount == null)
{
throw new NotFoundException();
}
var authorizationResult =
await _authorizationService.AuthorizeAsync(User, serviceAccount,
ServiceAccountOperations.ReadAccessTokens);
if (!_currentContext.AccessSecretsManager(serviceAccount.OrganizationId))
{
throw new NotFoundException();
}
var orgAdmin = await _currentContext.OrganizationAdmin(serviceAccount.OrganizationId);
var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
var hasAccess = accessClient switch
{
AccessClientType.NoAccessCheck => true,
AccessClientType.User => await _serviceAccountRepository.UserHasReadAccessToServiceAccount(id, userId),
_ => false,
};
if (!hasAccess)
if (!authorizationResult.Succeeded)
{
throw new NotFoundException();
}
@ -175,38 +159,29 @@ public class ServiceAccountsController : Controller
public async Task<AccessTokenCreationResponseModel> CreateAccessTokenAsync([FromRoute] Guid id,
[FromBody] AccessTokenCreateRequestModel request)
{
var userId = _userService.GetProperUserId(User).Value;
var serviceAccount = await _serviceAccountRepository.GetByIdAsync(id);
var authorizationResult =
await _authorizationService.AuthorizeAsync(User, serviceAccount,
ServiceAccountOperations.CreateAccessToken);
var result = await _createAccessTokenCommand.CreateAsync(request.ToApiKey(id), userId);
if (!authorizationResult.Succeeded)
{
throw new NotFoundException();
}
var result = await _createAccessTokenCommand.CreateAsync(request.ToApiKey(id));
return new AccessTokenCreationResponseModel(result);
}
[HttpPost("{id}/access-tokens/revoke")]
public async Task RevokeAccessTokensAsync(Guid id, [FromBody] RevokeAccessTokensRequest request)
{
var userId = _userService.GetProperUserId(User).Value;
var serviceAccount = await _serviceAccountRepository.GetByIdAsync(id);
if (serviceAccount == null)
{
throw new NotFoundException();
}
var authorizationResult =
await _authorizationService.AuthorizeAsync(User, serviceAccount,
ServiceAccountOperations.RevokeAccessTokens);
if (!_currentContext.AccessSecretsManager(serviceAccount.OrganizationId))
{
throw new NotFoundException();
}
var orgAdmin = await _currentContext.OrganizationAdmin(serviceAccount.OrganizationId);
var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
var hasAccess = accessClient switch
{
AccessClientType.NoAccessCheck => true,
AccessClientType.User => await _serviceAccountRepository.UserHasWriteAccessToServiceAccount(id, userId),
_ => false,
};
if (!hasAccess)
if (!authorizationResult.Succeeded)
{
throw new NotFoundException();
}