[SM-1293] Add endpoint to fetch secret's access policies (#4146)

* Add authz handling for secret access policy reads * Add the ability to fetch secret access polices from the repository * refactor response models * Add new endpoint
2025-07-15 14:47:45 -05:00 · 2024-06-07 12:08:38 -05:00
parent a1d609b208
commit 36705790ad
17 changed files with 554 additions and 143 deletions
--- a/src/Core/SecretsManager/AuthorizationRequirements/SecretOperationRequirement.cs
+++ b/src/Core/SecretsManager/AuthorizationRequirements/SecretOperationRequirement.cs
@ -12,4 +12,5 @@ public static class SecretOperations
    public static readonly SecretOperationRequirement Read = new() { Name = nameof(Read) };
    public static readonly SecretOperationRequirement Update = new() { Name = nameof(Update) };
    public static readonly SecretOperationRequirement Delete = new() { Name = nameof(Delete) };
+    public static readonly SecretOperationRequirement ReadAccessPolicies = new() { Name = nameof(ReadAccessPolicies) };
 }
--- a/src/Core/SecretsManager/Models/Data/SecretAccessPolicies.cs
+++ b/src/Core/SecretsManager/Models/Data/SecretAccessPolicies.cs
@ -0,0 +1,35 @@
+#nullable enable
+using Bit.Core.SecretsManager.Entities;
+
+namespace Bit.Core.SecretsManager.Models.Data;
+
+public class SecretAccessPolicies
+{
+    public SecretAccessPolicies(Guid secretId, Guid organizationId, List<BaseAccessPolicy> policies)
+    {
+        SecretId = secretId;
+        OrganizationId = organizationId;
+
+        UserAccessPolicies = policies
+            .OfType<UserSecretAccessPolicy>()
+            .ToList();
+
+        GroupAccessPolicies = policies
+            .OfType<GroupSecretAccessPolicy>()
+            .ToList();
+
+        ServiceAccountAccessPolicies = policies
+            .OfType<ServiceAccountSecretAccessPolicy>()
+            .ToList();
+    }
+
+    public SecretAccessPolicies()
+    {
+    }
+
+    public Guid SecretId { get; set; }
+    public Guid OrganizationId { get; set; }
+    public IEnumerable<UserSecretAccessPolicy> UserAccessPolicies { get; set; } = [];
+    public IEnumerable<GroupSecretAccessPolicy> GroupAccessPolicies { get; set; } = [];
+    public IEnumerable<ServiceAccountSecretAccessPolicy> ServiceAccountAccessPolicies { get; set; } = [];
+}
--- a/src/Core/SecretsManager/Repositories/IAccessPolicyRepository.cs
+++ b/src/Core/SecretsManager/Repositories/IAccessPolicyRepository.cs
@ -20,4 +20,5 @@ public interface IAccessPolicyRepository
    Task UpdateServiceAccountGrantedPoliciesAsync(ServiceAccountGrantedPoliciesUpdates policyUpdates);
    Task<ProjectServiceAccountsAccessPolicies?> GetProjectServiceAccountsAccessPoliciesAsync(Guid projectId);
    Task UpdateProjectServiceAccountsAccessPoliciesAsync(ProjectServiceAccountsAccessPoliciesUpdates updates);
+    Task<SecretAccessPolicies?> GetSecretAccessPoliciesAsync(Guid secretId, Guid userId);
 }