mirror of
https://github.com/bitwarden/server.git
synced 2025-07-13 13:47:30 -05:00
[AC-1125] Enforce org setting for creating/deleting collections (#3241)
* [AC-1117] Add manage permission (#3126) * Update sql files to add Manage permission * Add migration script * Rename collection manage migration file to remove duplicate migration date * Migrations * Add manage to models * Add manage to repository * Add constraint to Manage columns * Migration lint fixes * Add manage to OrganizationUserUserDetails_ReadWithCollectionsById * Add missing manage fields * Add 'Manage' to UserCollectionDetails * Use CREATE OR ALTER where possible * [AC-1374] Limit collection creation/deletion to Owner/Admin (#3145) * feat: update org table with new column, write migration, refs AC-1374 * feat: update views with new column, refs AC-1374 * feat: Alter sprocs (org create/update) to include new column, refs AC-1374 * feat: update entity/data/request/response models to handle new column, refs AC-1374 * feat: update necessary Provider related views during migration, refs AC-1374 * fix: update org create to default new column to false, refs AC-1374 * feat: added new API/request model for collection management and removed property from update request model, refs AC-1374 * fix: renamed migration script to be after secrets manage beta column changes, refs AC-1374 * fix: dotnet format, refs AC-1374 * feat: add ef migrations to reflect mssql changes, refs AC-1374 * fix: dotnet format, refs AC-1374 * feat: update API signature to accept Guid and explain Cd verbiage, refs AC-1374 * feat: created collection auth handler/operations, added LimitCollectionCdOwnerAdmin to CurrentContentOrganization, refs AC-1125 * feat: create vault service collection extensions and register with base services, refs AC-1125 * feat: deprecated CurrentContext.CreateNewCollections, refs AC-1125 * feat: deprecate DeleteAnyCollection for single resource usages, refs AC-1125 * feat: move service registration to api, update references, refs AC-1125 * feat: add bulk delete authorization handler, refs AC-1125 * feat: always assign user and give manage access on create, refs AC-1125 * fix: updated CurrentContextOrganization type, refs AC-1125 * feat: combined existing collection authorization handlers/operations, refs AC-1125 * fix: OrganizationServiceTests -> CurrentContentOrganization typo, refs AC-1125 * fix: format, refs AC-1125 * fix: update collection controller tests, refs AC-1125 * fix: dotnet format, refs AC-1125 * feat: removed extra BulkAuthorizationHandler, refs AC-1125 * fix: dotnet format, refs AC-1125 * fix: change string to guid for org id, update bulk delete request model, refs AC-1125 * fix: remove delete many collection check, refs AC-1125 * fix: clean up collection auth handler, refs AC-1125 * fix: format fix for CollectionOperations, refs AC-1125 * fix: removed unnecessary owner check, add org null check to custom permission validation, refs AC-1125 * fix: remove unused methods in CurrentContext, refs AC-1125 * fix: removed obsolete test, fixed failling delete many test, refs AC-1125 * fix: CollectionAuthorizationHandlerTests fixes, refs AC-1125 * fix: OrganizationServiceTests fix broken test by mocking GetOrganization, refs AC-1125 * fix: CollectionAuthorizationHandler - remove unused repository, refs AC-1125 * feat: moved UserId null check to common method, refs AC-1125 * fix: updated auth handler tests to remove dependency on requirement for common code checks, refs AC-1125 * feat: updated conditionals/comments for create/delete methods within colleciton auth handler, refs AC-1125 * feat: added create/delete collection auth handler success methods, refs AC-1125 * fix: new up permissions to prevent excessive null checks, refs AC-1125 * fix: remove old reference to CreateNewCollections, refs AC-1125 * fix: typo within ViewAssignedCollections method, refs AC-1125 --------- Co-authored-by: Robyn MacCallum <robyntmaccallum@gmail.com>
This commit is contained in:
Vincent Salucci
@ -1,5 +1,6 @@
|
||||
using Bit.Api.Models.Request;
|
||||
using Bit.Api.Models.Response;
|
||||
using Bit.Api.Vault.AuthorizationHandlers.Collections;
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Exceptions;
|
||||
@ -20,19 +21,22 @@ public class CollectionsController : Controller
|
||||
private readonly IDeleteCollectionCommand _deleteCollectionCommand;
|
||||
private readonly IUserService _userService;
|
||||
private readonly ICurrentContext _currentContext;
|
||||
private readonly IAuthorizationService _authorizationService;
|
||||
|
||||
public CollectionsController(
|
||||
ICollectionRepository collectionRepository,
|
||||
ICollectionService collectionService,
|
||||
IDeleteCollectionCommand deleteCollectionCommand,
|
||||
IUserService userService,
|
||||
ICurrentContext currentContext)
|
||||
ICurrentContext currentContext,
|
||||
IAuthorizationService authorizationService)
|
||||
{
|
||||
_collectionRepository = collectionRepository;
|
||||
_collectionService = collectionService;
|
||||
_deleteCollectionCommand = deleteCollectionCommand;
|
||||
_userService = userService;
|
||||
_currentContext = currentContext;
|
||||
_authorizationService = authorizationService;
|
||||
}
|
||||
|
||||
[HttpGet("{id}")]
|
||||
@ -62,6 +66,7 @@ public class CollectionsController : Controller
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
return new CollectionAccessDetailsResponseModel(collection, access.Groups, access.Users);
|
||||
}
|
||||
else
|
||||
@ -72,6 +77,7 @@ public class CollectionsController : Controller
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
return new CollectionAccessDetailsResponseModel(collection, access.Groups, access.Users);
|
||||
}
|
||||
}
|
||||
@ -79,13 +85,15 @@ public class CollectionsController : Controller
|
||||
[HttpGet("details")]
|
||||
public async Task<ListResponseModel<CollectionAccessDetailsResponseModel>> GetManyWithDetails(Guid orgId)
|
||||
{
|
||||
if (!await ViewAtLeastOneCollectionAsync(orgId) && !await _currentContext.ManageUsers(orgId) && !await _currentContext.ManageGroups(orgId))
|
||||
if (!await ViewAtLeastOneCollectionAsync(orgId) && !await _currentContext.ManageUsers(orgId) &&
|
||||
!await _currentContext.ManageGroups(orgId))
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
// We always need to know which collections the current user is assigned to
|
||||
var assignedOrgCollections = await _collectionRepository.GetManyByUserIdWithAccessAsync(_currentContext.UserId.Value, orgId);
|
||||
var assignedOrgCollections =
|
||||
await _collectionRepository.GetManyByUserIdWithAccessAsync(_currentContext.UserId.Value, orgId);
|
||||
|
||||
if (await _currentContext.ViewAllCollections(orgId) || await _currentContext.ManageUsers(orgId))
|
||||
{
|
||||
@ -141,8 +149,8 @@ public class CollectionsController : Controller
|
||||
{
|
||||
var collection = model.ToCollection(orgId);
|
||||
|
||||
if (!await CanCreateCollection(orgId, collection.Id) &&
|
||||
!await CanEditCollectionAsync(orgId, collection.Id))
|
||||
var result = await _authorizationService.AuthorizeAsync(User, collection, CollectionOperations.Create);
|
||||
if (!result.Succeeded)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
@ -150,10 +158,7 @@ public class CollectionsController : Controller
|
||||
var groups = model.Groups?.Select(g => g.ToSelectionReadOnly());
|
||||
var users = model.Users?.Select(g => g.ToSelectionReadOnly());
|
||||
|
||||
var assignUserToCollection = !(await _currentContext.EditAnyCollection(orgId)) &&
|
||||
await _currentContext.EditAssignedCollections(orgId);
|
||||
|
||||
await _collectionService.SaveAsync(collection, groups, users, assignUserToCollection ? _currentContext.UserId : null);
|
||||
await _collectionService.SaveAsync(collection, groups, users, _currentContext.UserId);
|
||||
return new CollectionResponseModel(collection);
|
||||
}
|
||||
|
||||
@ -189,12 +194,13 @@ public class CollectionsController : Controller
|
||||
[HttpPost("{id}/delete")]
|
||||
public async Task Delete(Guid orgId, Guid id)
|
||||
{
|
||||
if (!await CanDeleteCollectionAsync(orgId, id))
|
||||
var collection = await GetCollectionAsync(id, orgId);
|
||||
var result = await _authorizationService.AuthorizeAsync(User, collection, CollectionOperations.Delete);
|
||||
if (!result.Succeeded)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
var collection = await GetCollectionAsync(id, orgId);
|
||||
await _deleteCollectionCommand.DeleteAsync(collection);
|
||||
}
|
||||
|
||||
@ -202,22 +208,14 @@ public class CollectionsController : Controller
|
||||
[HttpPost("delete")]
|
||||
public async Task DeleteMany([FromBody] CollectionBulkDeleteRequestModel model)
|
||||
{
|
||||
var orgId = new Guid(model.OrganizationId);
|
||||
var collectionIds = model.Ids.Select(i => new Guid(i));
|
||||
if (!await _currentContext.DeleteAssignedCollections(orgId) && !await _currentContext.DeleteAnyCollection(orgId))
|
||||
var collections = await _collectionRepository.GetManyByManyIdsAsync(model.Ids);
|
||||
var result = await _authorizationService.AuthorizeAsync(User, collections, CollectionOperations.Delete);
|
||||
if (!result.Succeeded)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
var userCollections = await _collectionService.GetOrganizationCollectionsAsync(orgId);
|
||||
var filteredCollections = userCollections.Where(c => collectionIds.Contains(c.Id) && c.OrganizationId == orgId);
|
||||
|
||||
if (!filteredCollections.Any())
|
||||
{
|
||||
throw new BadRequestException("No collections found.");
|
||||
}
|
||||
|
||||
await _deleteCollectionCommand.DeleteManyAsync(filteredCollections);
|
||||
await _deleteCollectionCommand.DeleteManyAsync(collections);
|
||||
}
|
||||
|
||||
[HttpDelete("{id}/user/{orgUserId}")]
|
||||
@ -248,17 +246,6 @@ public class CollectionsController : Controller
|
||||
return collection;
|
||||
}
|
||||
|
||||
|
||||
private async Task<bool> CanCreateCollection(Guid orgId, Guid collectionId)
|
||||
{
|
||||
if (collectionId != default)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
return await _currentContext.CreateNewCollections(orgId);
|
||||
}
|
||||
|
||||
private async Task<bool> CanEditCollectionAsync(Guid orgId, Guid collectionId)
|
||||
{
|
||||
if (collectionId == default)
|
||||
@ -273,28 +260,8 @@ public class CollectionsController : Controller
|
||||
|
||||
if (await _currentContext.EditAssignedCollections(orgId))
|
||||
{
|
||||
var collectionDetails = await _collectionRepository.GetByIdAsync(collectionId, _currentContext.UserId.Value);
|
||||
return collectionDetails != null;
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
private async Task<bool> CanDeleteCollectionAsync(Guid orgId, Guid collectionId)
|
||||
{
|
||||
if (collectionId == default)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
if (await _currentContext.DeleteAnyCollection(orgId))
|
||||
{
|
||||
return true;
|
||||
}
|
||||
|
||||
if (await _currentContext.DeleteAssignedCollections(orgId))
|
||||
{
|
||||
var collectionDetails = await _collectionRepository.GetByIdAsync(collectionId, _currentContext.UserId.Value);
|
||||
var collectionDetails =
|
||||
await _collectionRepository.GetByIdAsync(collectionId, _currentContext.UserId.Value);
|
||||
return collectionDetails != null;
|
||||
}
|
||||
|
||||
@ -315,7 +282,8 @@ public class CollectionsController : Controller
|
||||
|
||||
if (await _currentContext.ViewAssignedCollections(orgId))
|
||||
{
|
||||
var collectionDetails = await _collectionRepository.GetByIdAsync(collectionId, _currentContext.UserId.Value);
|
||||
var collectionDetails =
|
||||
await _collectionRepository.GetByIdAsync(collectionId, _currentContext.UserId.Value);
|
||||
return collectionDetails != null;
|
||||
}
|
||||
|
||||
|
||||
@ -34,7 +34,8 @@ public class CollectionRequestModel
|
||||
public class CollectionBulkDeleteRequestModel
|
||||
{
|
||||
[Required]
|
||||
public IEnumerable<string> Ids { get; set; }
|
||||
public IEnumerable<Guid> Ids { get; set; }
|
||||
[Obsolete("OrganizationId is no longer required and will be removed in a future release")]
|
||||
public string OrganizationId { get; set; }
|
||||
}
|
||||
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
using Bit.Api.Vault.AuthorizationHandlers;
|
||||
using Bit.Api.Vault.AuthorizationHandlers.Collections;
|
||||
using Bit.Core.IdentityServer;
|
||||
using Bit.Core.Settings;
|
||||
using Bit.Core.Utilities;
|
||||
|
||||
@ -1,90 +0,0 @@
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.Utilities;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
|
||||
namespace Bit.Api.Vault.AuthorizationHandlers;
|
||||
|
||||
public class CollectionAuthorizationHandler : BulkAuthorizationHandler<CollectionOperationRequirement, Collection>
|
||||
{
|
||||
private readonly ICurrentContext _currentContext;
|
||||
private readonly ICollectionRepository _collectionRepository;
|
||||
private readonly IOrganizationUserRepository _organizationUserRepository;
|
||||
|
||||
public CollectionAuthorizationHandler(ICurrentContext currentContext, ICollectionRepository collectionRepository, IOrganizationUserRepository organizationUserRepository)
|
||||
{
|
||||
_currentContext = currentContext;
|
||||
_collectionRepository = collectionRepository;
|
||||
_organizationUserRepository = organizationUserRepository;
|
||||
}
|
||||
|
||||
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, CollectionOperationRequirement requirement,
|
||||
ICollection<Collection> resources)
|
||||
{
|
||||
switch (requirement)
|
||||
{
|
||||
case not null when requirement == CollectionOperation.ModifyAccess:
|
||||
await CanManageCollectionAccessAsync(context, requirement, resources);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Ensures the acting user is allowed to manage access permissions for the target collections.
|
||||
/// </summary>
|
||||
private async Task CanManageCollectionAccessAsync(AuthorizationHandlerContext context, IAuthorizationRequirement requirement, ICollection<Collection> targetCollections)
|
||||
{
|
||||
if (!_currentContext.UserId.HasValue)
|
||||
{
|
||||
context.Fail();
|
||||
return;
|
||||
}
|
||||
|
||||
var targetOrganizationId = targetCollections.First().OrganizationId;
|
||||
|
||||
// Ensure all target collections belong to the same organization
|
||||
if (targetCollections.Any(tc => tc.OrganizationId != targetOrganizationId))
|
||||
{
|
||||
throw new BadRequestException("Requested collections must belong to the same organization.");
|
||||
}
|
||||
|
||||
var org = (await _currentContext.OrganizationMembershipAsync(_organizationUserRepository, _currentContext.UserId.Value))
|
||||
.FirstOrDefault(o => targetOrganizationId == o.Id);
|
||||
|
||||
// Acting user is not a member of the target organization, fail
|
||||
if (org == null)
|
||||
{
|
||||
context.Fail();
|
||||
return;
|
||||
}
|
||||
|
||||
// Owners, Admins, Providers, and users with EditAnyCollection permission can always manage collection access
|
||||
if (
|
||||
org.Permissions is { EditAnyCollection: true } ||
|
||||
org.Type is OrganizationUserType.Admin or OrganizationUserType.Owner ||
|
||||
await _currentContext.ProviderUserForOrgAsync(org.Id))
|
||||
{
|
||||
context.Succeed(requirement);
|
||||
return;
|
||||
}
|
||||
|
||||
// List of collection Ids the acting user is allowed to manage
|
||||
var manageableCollectionIds =
|
||||
(await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value))
|
||||
.Where(c => c.Manage && c.OrganizationId == targetOrganizationId)
|
||||
.Select(c => c.Id)
|
||||
.ToHashSet();
|
||||
|
||||
// The acting user does not have permission to manage all target collections, fail
|
||||
if (targetCollections.Any(tc => !manageableCollectionIds.Contains(tc.Id)))
|
||||
{
|
||||
context.Fail();
|
||||
return;
|
||||
}
|
||||
|
||||
context.Succeed(requirement);
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,162 @@
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.Utilities;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
|
||||
namespace Bit.Api.Vault.AuthorizationHandlers.Collections;
|
||||
|
||||
public class CollectionAuthorizationHandler : BulkAuthorizationHandler<CollectionOperationRequirement, Collection>
|
||||
{
|
||||
private readonly ICurrentContext _currentContext;
|
||||
private readonly ICollectionRepository _collectionRepository;
|
||||
|
||||
public CollectionAuthorizationHandler(ICurrentContext currentContext, ICollectionRepository collectionRepository)
|
||||
{
|
||||
_currentContext = currentContext;
|
||||
_collectionRepository = collectionRepository;
|
||||
}
|
||||
|
||||
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
|
||||
CollectionOperationRequirement requirement, ICollection<Collection> resources)
|
||||
{
|
||||
// Establish pattern of authorization handler null checking passed resources
|
||||
if (resources == null || !resources.Any())
|
||||
{
|
||||
context.Fail();
|
||||
return;
|
||||
}
|
||||
|
||||
if (!_currentContext.UserId.HasValue)
|
||||
{
|
||||
context.Fail();
|
||||
return;
|
||||
}
|
||||
|
||||
var targetOrganizationId = resources.First().OrganizationId;
|
||||
|
||||
// Ensure all target collections belong to the same organization
|
||||
if (resources.Any(tc => tc.OrganizationId != targetOrganizationId))
|
||||
{
|
||||
throw new BadRequestException("Requested collections must belong to the same organization.");
|
||||
}
|
||||
|
||||
// Acting user is not a member of the target organization, fail
|
||||
var org = _currentContext.GetOrganization(targetOrganizationId);
|
||||
if (org == null)
|
||||
{
|
||||
context.Fail();
|
||||
return;
|
||||
}
|
||||
|
||||
switch (requirement)
|
||||
{
|
||||
case not null when requirement == CollectionOperations.Create:
|
||||
await CanCreateAsync(context, requirement, org);
|
||||
break;
|
||||
|
||||
case not null when requirement == CollectionOperations.Delete:
|
||||
await CanDeleteAsync(context, requirement, resources, org);
|
||||
break;
|
||||
|
||||
case not null when requirement == CollectionOperations.ModifyAccess:
|
||||
await CanManageCollectionAccessAsync(context, requirement, resources, org);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
private async Task CanCreateAsync(AuthorizationHandlerContext context, CollectionOperationRequirement requirement,
|
||||
CurrentContextOrganization org)
|
||||
{
|
||||
// If false, all organization members are allowed to create collections
|
||||
if (!org.LimitCollectionCdOwnerAdmin)
|
||||
{
|
||||
context.Succeed(requirement);
|
||||
return;
|
||||
}
|
||||
|
||||
// Owners, Admins, Providers, and users with CreateNewCollections or EditAnyCollection permission can always create collections
|
||||
if (
|
||||
org.Type is OrganizationUserType.Owner or OrganizationUserType.Admin ||
|
||||
org.Permissions.CreateNewCollections || org.Permissions.EditAnyCollection ||
|
||||
await _currentContext.ProviderUserForOrgAsync(org.Id))
|
||||
{
|
||||
context.Succeed(requirement);
|
||||
return;
|
||||
}
|
||||
|
||||
context.Fail();
|
||||
}
|
||||
|
||||
private async Task CanDeleteAsync(AuthorizationHandlerContext context, CollectionOperationRequirement requirement,
|
||||
ICollection<Collection> resources, CurrentContextOrganization org)
|
||||
{
|
||||
// Owners, Admins, Providers, and users with DeleteAnyCollection or EditAnyCollection permission can always delete collections
|
||||
if (
|
||||
org.Type is OrganizationUserType.Owner or OrganizationUserType.Admin ||
|
||||
org.Permissions.DeleteAnyCollection || org.Permissions.EditAnyCollection ||
|
||||
await _currentContext.ProviderUserForOrgAsync(org.Id))
|
||||
{
|
||||
context.Succeed(requirement);
|
||||
return;
|
||||
}
|
||||
|
||||
// The limit collection management setting is enabled and we are not an Admin (above condition), fail
|
||||
if (org.LimitCollectionCdOwnerAdmin)
|
||||
{
|
||||
context.Fail();
|
||||
return;
|
||||
}
|
||||
|
||||
// Other members types should have the Manage capability for all collections being deleted
|
||||
var manageableCollectionIds =
|
||||
(await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId!.Value))
|
||||
.Where(c => c.Manage && c.OrganizationId == org.Id)
|
||||
.Select(c => c.Id)
|
||||
.ToHashSet();
|
||||
|
||||
// The acting user does not have permission to manage all target collections, fail
|
||||
if (resources.Any(c => !manageableCollectionIds.Contains(c.Id)))
|
||||
{
|
||||
context.Fail();
|
||||
return;
|
||||
}
|
||||
|
||||
context.Succeed(requirement);
|
||||
}
|
||||
|
||||
/// <summary>
|
||||
/// Ensures the acting user is allowed to manage access permissions for the target collections.
|
||||
/// </summary>
|
||||
private async Task CanManageCollectionAccessAsync(AuthorizationHandlerContext context,
|
||||
IAuthorizationRequirement requirement, ICollection<Collection> targetCollections, CurrentContextOrganization org)
|
||||
{
|
||||
// Owners, Admins, Providers, and users with EditAnyCollection permission can always manage collection access
|
||||
if (
|
||||
org.Permissions is { EditAnyCollection: true } ||
|
||||
org.Type is OrganizationUserType.Owner or OrganizationUserType.Admin ||
|
||||
await _currentContext.ProviderUserForOrgAsync(org.Id))
|
||||
{
|
||||
context.Succeed(requirement);
|
||||
return;
|
||||
}
|
||||
|
||||
// List of collection Ids the acting user is allowed to manage
|
||||
var manageableCollectionIds =
|
||||
(await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId!.Value))
|
||||
.Where(c => c.Manage && c.OrganizationId == org.Id)
|
||||
.Select(c => c.Id)
|
||||
.ToHashSet();
|
||||
|
||||
// The acting user does not have permission to manage all target collections, fail
|
||||
if (targetCollections.Any(tc => !manageableCollectionIds.Contains(tc.Id)))
|
||||
{
|
||||
context.Fail();
|
||||
return;
|
||||
}
|
||||
|
||||
context.Succeed(requirement);
|
||||
}
|
||||
}
|
||||
@ -1,11 +1,13 @@
|
||||
using Microsoft.AspNetCore.Authorization.Infrastructure;
|
||||
|
||||
namespace Bit.Api.Vault.AuthorizationHandlers;
|
||||
namespace Bit.Api.Vault.AuthorizationHandlers.Collections;
|
||||
|
||||
public class CollectionOperationRequirement : OperationAuthorizationRequirement { }
|
||||
|
||||
public static class CollectionOperation
|
||||
public static class CollectionOperations
|
||||
{
|
||||
public static readonly CollectionOperationRequirement Create = new() { Name = nameof(Create) };
|
||||
public static readonly CollectionOperationRequirement Delete = new() { Name = nameof(Delete) };
|
||||
/// <summary>
|
||||
/// The operation that represents creating, updating, or removing collection access.
|
||||
/// Combined together to allow for a single requirement to be used for each operation
|
||||
@ -321,27 +321,16 @@ public class CurrentContext : ICurrentContext
|
||||
&& (o.Permissions?.AccessReports ?? false)) ?? false);
|
||||
}
|
||||
|
||||
public async Task<bool> CreateNewCollections(Guid orgId)
|
||||
{
|
||||
return await OrganizationManager(orgId) || (Organizations?.Any(o => o.Id == orgId
|
||||
&& (o.Permissions?.CreateNewCollections ?? false)) ?? false);
|
||||
}
|
||||
|
||||
public async Task<bool> EditAnyCollection(Guid orgId)
|
||||
{
|
||||
return await OrganizationAdmin(orgId) || (Organizations?.Any(o => o.Id == orgId
|
||||
&& (o.Permissions?.EditAnyCollection ?? false)) ?? false);
|
||||
}
|
||||
|
||||
public async Task<bool> DeleteAnyCollection(Guid orgId)
|
||||
{
|
||||
return await OrganizationAdmin(orgId) || (Organizations?.Any(o => o.Id == orgId
|
||||
&& (o.Permissions?.DeleteAnyCollection ?? false)) ?? false);
|
||||
}
|
||||
|
||||
public async Task<bool> ViewAllCollections(Guid orgId)
|
||||
{
|
||||
return await EditAnyCollection(orgId) || await DeleteAnyCollection(orgId);
|
||||
var org = GetOrganization(orgId);
|
||||
return await EditAnyCollection(orgId) || (org != null && org.Permissions.DeleteAnyCollection);
|
||||
}
|
||||
|
||||
public async Task<bool> EditAssignedCollections(Guid orgId)
|
||||
@ -358,9 +347,20 @@ public class CurrentContext : ICurrentContext
|
||||
|
||||
public async Task<bool> ViewAssignedCollections(Guid orgId)
|
||||
{
|
||||
return await CreateNewCollections(orgId) // Required to display the existing collections under which the new collection can be nested
|
||||
|| await EditAssignedCollections(orgId)
|
||||
|| await DeleteAssignedCollections(orgId);
|
||||
/*
|
||||
* Required to display the existing collections under which the new collection can be nested.
|
||||
* Owner, Admin, Manager, and Provider checks are handled via the EditAssigned/DeleteAssigned context calls.
|
||||
* This entire method will be moved to the CollectionAuthorizationHandler in the future
|
||||
*/
|
||||
var canCreateNewCollections = false;
|
||||
var org = GetOrganization(orgId);
|
||||
if (org != null)
|
||||
{
|
||||
canCreateNewCollections = !org.LimitCollectionCdOwnerAdmin || org.Permissions.CreateNewCollections;
|
||||
}
|
||||
return await EditAssignedCollections(orgId)
|
||||
|| await DeleteAssignedCollections(orgId)
|
||||
|| canCreateNewCollections;
|
||||
}
|
||||
|
||||
public async Task<bool> ManageGroups(Guid orgId)
|
||||
@ -509,6 +509,11 @@ public class CurrentContext : ICurrentContext
|
||||
return Providers;
|
||||
}
|
||||
|
||||
public CurrentContextOrganization GetOrganization(Guid orgId)
|
||||
{
|
||||
return Organizations?.Find(o => o.Id == orgId);
|
||||
}
|
||||
|
||||
private string GetClaimValue(Dictionary<string, IEnumerable<Claim>> claims, string type)
|
||||
{
|
||||
if (!claims.ContainsKey(type))
|
||||
|
||||
@ -15,10 +15,12 @@ public class CurrentContextOrganization
|
||||
Type = orgUser.Type;
|
||||
Permissions = CoreHelpers.LoadClassFromJsonData<Permissions>(orgUser.Permissions);
|
||||
AccessSecretsManager = orgUser.AccessSecretsManager && orgUser.UseSecretsManager;
|
||||
LimitCollectionCdOwnerAdmin = orgUser.LimitCollectionCdOwnerAdmin;
|
||||
}
|
||||
|
||||
public Guid Id { get; set; }
|
||||
public OrganizationUserType Type { get; set; }
|
||||
public Permissions Permissions { get; set; }
|
||||
public Permissions Permissions { get; set; } = new();
|
||||
public bool AccessSecretsManager { get; set; }
|
||||
public bool LimitCollectionCdOwnerAdmin { get; set; }
|
||||
}
|
||||
|
||||
@ -1,4 +1,6 @@
|
||||
using System.Security.Claims;
|
||||
#nullable enable
|
||||
|
||||
using System.Security.Claims;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Identity;
|
||||
@ -39,9 +41,7 @@ public interface ICurrentContext
|
||||
Task<bool> AccessEventLogs(Guid orgId);
|
||||
Task<bool> AccessImportExport(Guid orgId);
|
||||
Task<bool> AccessReports(Guid orgId);
|
||||
Task<bool> CreateNewCollections(Guid orgId);
|
||||
Task<bool> EditAnyCollection(Guid orgId);
|
||||
Task<bool> DeleteAnyCollection(Guid orgId);
|
||||
Task<bool> ViewAllCollections(Guid orgId);
|
||||
Task<bool> EditAssignedCollections(Guid orgId);
|
||||
Task<bool> DeleteAssignedCollections(Guid orgId);
|
||||
@ -72,4 +72,5 @@ public interface ICurrentContext
|
||||
|
||||
Task<Guid?> ProviderIdForOrg(Guid orgId);
|
||||
bool AccessSecretsManager(Guid organizationId);
|
||||
CurrentContextOrganization? GetOrganization(Guid orgId);
|
||||
}
|
||||
|
||||
@ -71,7 +71,7 @@ public class CollectionService : ICollectionService
|
||||
{
|
||||
await _collectionRepository.UpdateUsersAsync(collection.Id,
|
||||
new List<CollectionAccessSelection> {
|
||||
new CollectionAccessSelection { Id = orgUser.Id, ReadOnly = false } });
|
||||
new CollectionAccessSelection { Id = orgUser.Id, Manage = true} });
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -2083,7 +2083,7 @@ public class OrganizationService : IOrganizationService
|
||||
|
||||
private async Task<bool> ValidateCustomPermissionsGrant(Guid organizationId, Permissions permissions)
|
||||
{
|
||||
if (permissions == null || await _currentContext.OrganizationOwner(organizationId) || await _currentContext.OrganizationAdmin(organizationId))
|
||||
if (permissions == null || await _currentContext.OrganizationAdmin(organizationId))
|
||||
{
|
||||
return true;
|
||||
}
|
||||
@ -2128,16 +2128,6 @@ public class OrganizationService : IOrganizationService
|
||||
return false;
|
||||
}
|
||||
|
||||
if (permissions.CreateNewCollections && !await _currentContext.CreateNewCollections(organizationId))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
if (permissions.DeleteAnyCollection && !await _currentContext.DeleteAnyCollection(organizationId))
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
if (permissions.DeleteAssignedCollections && !await _currentContext.DeleteAssignedCollections(organizationId))
|
||||
{
|
||||
return false;
|
||||
@ -2158,6 +2148,22 @@ public class OrganizationService : IOrganizationService
|
||||
return false;
|
||||
}
|
||||
|
||||
var org = _currentContext.GetOrganization(organizationId);
|
||||
if (org == null)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
if (permissions.CreateNewCollections && !org.Permissions.CreateNewCollections)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
if (permissions.DeleteAnyCollection && !org.Permissions.DeleteAnyCollection)
|
||||
{
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user