Move to api project, create new context class

2025-04-05 05:00:19 -05:00 · 2025-03-27 10:20:19 +10:00 · 2025-03-27 10:20:19 +10:00 · 3d83e4b5a7
commit 3d83e4b5a7
parent b840e2e318
14 changed files with 93 additions and 49 deletions
--- a/src/Core/AdminConsole/OrganizationFeatures/Shared/Authorization/AuthorizeAttribute.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Shared/Authorization/AuthorizeAttribute.cs
@ -2,7 +2,7 @@
 using Microsoft.AspNetCore.Authorization;
-namespace Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
+namespace Bit.Api.AdminConsole.Authorization;
 /// <summary>
 /// An attribute which requires authorization using the specified requirement.
--- a/src/Core/AdminConsole/OrganizationFeatures/Shared/Authorization/IOrganizationRequirement.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Shared/Authorization/IOrganizationRequirement.cs
@ -1,9 +1,10 @@
 #nullable enable
 using Bit.Api.AdminConsole.Context;
 using Bit.Core.Context;
 using Microsoft.AspNetCore.Authorization;
-namespace Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
+namespace Bit.Api.AdminConsole.Authorization;
 /// <summary>
 /// A requirement that implements this interface will be handled by <see cref="OrganizationRequirementHandler"/>,
@ -13,6 +14,8 @@ namespace Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
 /// </summary>
 public interface IOrganizationRequirement : IAuthorizationRequirement
 {
-    // TODO: avoid injecting all of ICurrentContext?
+    public Task<bool> AuthorizeAsync(
-    public Task<bool> AuthorizeAsync(Guid organizationId, CurrentContextOrganization? organizationClaims, ICurrentContext currentContext);
+        Guid organizationId,
        CurrentContextOrganization? organizationClaims,
        IProviderOrganizationContext providerOrganizationContext);
 }
--- a/src/Core/AdminConsole/OrganizationFeatures/Shared/Authorization/OrganizationRequirementHandler.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Shared/Authorization/OrganizationRequirementHandler.cs
@ -1,10 +1,10 @@
 #nullable enable
 using Bit.Api.AdminConsole.Context;
 using Bit.Core.Context;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
-namespace Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
+namespace Bit.Api.AdminConsole.Authorization;
 /// <summary>
 /// Handles any requirement that implements <see cref="IOrganizationRequirement"/>.
@ -13,7 +13,10 @@ namespace Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
 /// </summary>
 /// <param name="currentContext"></param>
 /// <param name="httpContextAccessor"></param>
-public class OrganizationRequirementHandler(ICurrentContext currentContext, IHttpContextAccessor httpContextAccessor)
+public class OrganizationRequirementHandler(
    ICurrentContext currentContext,
    IProviderOrganizationContext providerOrganizationContext,
    IHttpContextAccessor httpContextAccessor)
    : AuthorizationHandler<IOrganizationRequirement>
 {
    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, IOrganizationRequirement requirement)
@ -24,9 +27,9 @@ public class OrganizationRequirementHandler(ICurrentContext currentContext, IHtt
            throw new Exception("No organizationId found in route. IOrganizationRequirement cannot be used on this endpoint.");
        }
-        var organization = currentContext.GetOrganization(organizationId.Value);
+        var organizationClaims = currentContext.GetOrganization(organizationId.Value);
-        var authorized = await requirement.AuthorizeAsync(organizationId.Value, organization, currentContext);
+        var authorized = await requirement.AuthorizeAsync(organizationId.Value, organizationClaims, providerOrganizationContext);
        if (authorized)
        {
--- a/src/Core/AdminConsole/OrganizationFeatures/Shared/Authorization/OrganizationRequirementHelpers.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Shared/Authorization/OrganizationRequirementHelpers.cs
@ -1,9 +1,6 @@
 #nullable enable
-using Microsoft.AspNetCore.Http;
+namespace Bit.Api.AdminConsole.Authorization;
 using Microsoft.AspNetCore.Routing;
 namespace Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
 public static class OrganizationRequirementHelpers
 {
--- a/src/Api/AdminConsole/Authorization/Requirements/ManageUsersRequirement.cs
+++ b/src/Api/AdminConsole/Authorization/Requirements/ManageUsersRequirement.cs
@ -0,0 +1,19 @@
 #nullable enable
 using Bit.Api.AdminConsole.Context;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 namespace Bit.Api.AdminConsole.Authorization.Requirements;
 public class ManageUsersRequirement : IOrganizationRequirement
 {
    public async Task<bool> AuthorizeAsync(
        Guid organizationId,
        CurrentContextOrganization? organizationClaims,
        IProviderOrganizationContext providerOrganizationContext)
        => organizationClaims is
    { Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
    { Permissions.ManageUsers: true }
            || await providerOrganizationContext.ProviderUserForOrgAsync(organizationId);
 }
--- a/src/Api/AdminConsole/Authorization/Requirements/MemberOrProviderRequirement.cs
+++ b/src/Api/AdminConsole/Authorization/Requirements/MemberOrProviderRequirement.cs
@ -0,0 +1,18 @@
 #nullable enable
 using Bit.Api.AdminConsole.Context;
 using Bit.Core.Context;
 namespace Bit.Api.AdminConsole.Authorization.Requirements;
 /// <summary>
 /// Requires that the user is a member of the organization or a provider for the organization.
 /// </summary>
 public class MemberOrProviderRequirement : IOrganizationRequirement
 {
    public async Task<bool> AuthorizeAsync(
        Guid organizationId,
        CurrentContextOrganization? organizationClaims,
        IProviderOrganizationContext providerOrganizationContext)
        => organizationClaims is not null || await providerOrganizationContext.ProviderUserForOrgAsync(organizationId);
 }
--- a/src/Api/AdminConsole/Context/IProviderOrganizationContext.cs
+++ b/src/Api/AdminConsole/Context/IProviderOrganizationContext.cs
@ -0,0 +1,12 @@
 namespace Bit.Api.AdminConsole.Context;
 /// <summary>
 /// Current context for the relationship between ProviderUsers and Organizations that they manage.
 /// </summary>
 public interface IProviderOrganizationContext
 {
    /// <summary>
    /// Returns true if the current user is a ProviderUser for the specified organization, false otherwise.
    /// </summary>
    Task<bool> ProviderUserForOrgAsync(Guid orgId);
 }
--- a/src/Api/AdminConsole/Context/ProviderOrganizationContext.cs
+++ b/src/Api/AdminConsole/Context/ProviderOrganizationContext.cs
@ -0,0 +1,19 @@
 using Bit.Core.Context;
 namespace Bit.Api.AdminConsole.Context;
 public class ProviderOrganizationContext(ICurrentContext currentContext) : IProviderOrganizationContext
 {
    /// <inheritdoc/>
    public async Task<bool> ProviderUserForOrgAsync(Guid orgId)
    {
        // If the user doesn't have any ProviderUser claims (in relation to the provider), they can't have a provider
        // relationship to any organization.
        if (currentContext.Providers.Count == 0)
        {
            return false;
        }
        return await currentContext.ProviderUserForOrgAsync(orgId);
    }
 }
--- a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
@ -1,4 +1,6 @@
-using Bit.Api.AdminConsole.Models.Request.Organizations;
+using Bit.Api.AdminConsole.Authorization;
 using Bit.Api.AdminConsole.Authorization.Requirements;
 using Bit.Api.AdminConsole.Models.Request.Organizations;
 using Bit.Api.AdminConsole.Models.Response.Organizations;
 using Bit.Api.Models.Request.Organizations;
 using Bit.Api.Models.Response;
@ -6,11 +8,9 @@ using Bit.Api.Vault.AuthorizationHandlers.Collections;
 using Bit.Core;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
 using Bit.Core.AdminConsole.OrganizationFeatures.Policies.PolicyRequirements;
 using Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Auth.Enums;
 using Bit.Core.Auth.Repositories;
--- a/src/Api/Startup.cs
+++ b/src/Api/Startup.cs
@ -7,6 +7,7 @@ using Stripe;
 using Bit.Core.Utilities;
 using Duende.IdentityModel;
 using System.Globalization;
 using Bit.Api.AdminConsole.Context;
 using Bit.Api.AdminConsole.Models.Request.Organizations;
 using Bit.Api.Auth.Models.Request;
 using Bit.Api.KeyManagement.Validators;
@ -84,6 +85,7 @@ public class Startup
        // Context
        services.AddScoped<ICurrentContext, CurrentContext>();
        services.AddScoped<IProviderOrganizationContext, ProviderOrganizationContext>();
        services.TryAddSingleton<IHttpContextAccessor, HttpContextAccessor>();
        // Caching
--- a/src/Api/Utilities/ServiceCollectionExtensions.cs
+++ b/src/Api/Utilities/ServiceCollectionExtensions.cs
@ -1,7 +1,7 @@
-using Bit.Api.Tools.Authorization;
+using Bit.Api.AdminConsole.Authorization;
 using Bit.Api.Tools.Authorization;
 using Bit.Api.Vault.AuthorizationHandlers.Collections;
 using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Authorization;
 using Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
 using Bit.Core.IdentityServer;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
--- a/src/Core/AdminConsole/OrganizationFeatures/ManageUsersRequirement.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/ManageUsersRequirement.cs
@ -1,16 +0,0 @@
 #nullable enable
 using Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 namespace Bit.Core.AdminConsole.OrganizationFeatures;
 public class ManageUsersRequirement : IOrganizationRequirement
 {
    public async Task<bool> AuthorizeAsync(Guid organizationId, CurrentContextOrganization? organizationClaims, ICurrentContext currentContext)
        => organizationClaims is
    { Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
    { Permissions.ManageUsers: true }
            || await currentContext.ProviderUserForOrgAsync(organizationId);
 }
--- a/src/Core/AdminConsole/OrganizationFeatures/MemberOrProviderRequirement.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/MemberOrProviderRequirement.cs
@ -1,15 +0,0 @@
 #nullable enable
 using Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
 using Bit.Core.Context;
 namespace Bit.Core.AdminConsole.OrganizationFeatures;
 /// <summary>
 /// Requires that the user is a member of the organization or a provider for the organization.
 /// </summary>
 public class MemberOrProviderRequirement : IOrganizationRequirement
 {
    public async Task<bool> AuthorizeAsync(Guid organizationId, CurrentContextOrganization? organizationClaims, ICurrentContext currentContext)
        => organizationClaims is not null || await currentContext.ProviderUserForOrgAsync(organizationId);
 }
--- a/src/Core/Context/ICurrentContext.cs
+++ b/src/Core/Context/ICurrentContext.cs
@ -22,6 +22,7 @@ public interface ICurrentContext
    string IpAddress { get; set; }
    string CountryName { get; set; }
    List<CurrentContextOrganization> Organizations { get; set; }
    List<CurrentContextProvider> Providers { get; set; }
    Guid? InstallationId { get; set; }
    Guid? OrganizationId { get; set; }
    IdentityClientType IdentityClientType { get; set; }
@ -59,6 +60,7 @@ public interface ICurrentContext
    Task<bool> EditSubscription(Guid orgId);
    Task<bool> EditPaymentMethods(Guid orgId);
    Task<bool> ViewBillingHistory(Guid orgId);
    [Obsolete("Use IProviderOrganizationContext.ProviderUserForOrgAsync instead.")]
    Task<bool> ProviderUserForOrgAsync(Guid orgId);
    bool ProviderProviderAdmin(Guid providerId);
    bool ProviderUser(Guid providerId);