[AC-1139] Created AuthorizationServiceExtensions to have an extension method for AuthorizeAsync where the resource is null

2025-07-03 00:52:49 -05:00 · 2023-10-30 12:59:34 +00:00
parent 91de2d892e
commit 4642b7360e
4 changed files with 39 additions and 4 deletions
--- a/src/Api/AdminConsole/Controllers/GroupsController.cs
+++ b/src/Api/AdminConsole/Controllers/GroupsController.cs
@ -1,6 +1,7 @@
 using Bit.Api.AdminConsole.Models.Request;
 using Bit.Api.AdminConsole.Models.Response;
 using Bit.Api.Models.Response;
+using Bit.Api.Utilities;
 using Bit.Api.Vault.AuthorizationHandlers.Groups;
 using Bit.Core;
 using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Interfaces;
@ -206,7 +207,7 @@ public class GroupsController : Controller
    private async Task<ListResponseModel<GroupDetailsResponseModel>> Get_vNext(Guid orgId)
    {
        var authorized =
-            (await _authorizationService.AuthorizeAsync(User, null, GroupOperations.ReadAll(orgId))).Succeeded;
+            (await _authorizationService.AuthorizeAsync(User, GroupOperations.ReadAll(orgId))).Succeeded;
        if (!authorized)
        {
            throw new NotFoundException();
--- a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
@ -2,6 +2,7 @@
 using Bit.Api.AdminConsole.Models.Response.Organizations;
 using Bit.Api.Models.Request.Organizations;
 using Bit.Api.Models.Response;
+using Bit.Api.Utilities;
 using Bit.Api.Vault.AuthorizationHandlers.OrganizationUsers;
 using Bit.Core;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
@ -93,7 +94,7 @@ public class OrganizationUsersController : Controller
    public async Task<ListResponseModel<OrganizationUserUserDetailsResponseModel>> Get(Guid orgId, bool includeGroups = false, bool includeCollections = false)
    {
        var authorized = UseFlexibleCollections
-            ? (await _authorizationService.AuthorizeAsync(User, null, OrganizationUserOperations.ReadAll(orgId))).Succeeded
+            ? (await _authorizationService.AuthorizeAsync(User, OrganizationUserOperations.ReadAll(orgId))).Succeeded
            : await _currentContext.ViewAllCollections(orgId) ||
              await _currentContext.ViewAssignedCollections(orgId) ||
              await _currentContext.ManageGroups(orgId) ||
--- a/src/Api/Controllers/CollectionsController.cs
+++ b/src/Api/Controllers/CollectionsController.cs
@ -1,5 +1,6 @@
 using Bit.Api.Models.Request;
 using Bit.Api.Models.Response;
+using Bit.Api.Utilities;
 using Bit.Api.Vault.AuthorizationHandlers.Collections;
 using Bit.Core;
 using Bit.Core.Context;
@ -520,7 +521,7 @@ public class CollectionsController : Controller
            .GetManyByUserIdWithAccessAsync(_currentContext.UserId.Value, orgId);

        var readAllAuthorized =
-            (await _authorizationService.AuthorizeAsync(User, null, CollectionOperations.ReadAll(orgId))).Succeeded;
+            (await _authorizationService.AuthorizeAsync(User, CollectionOperations.ReadAll(orgId))).Succeeded;
        if (readAllAuthorized)
        {
            // The user can view all collections, but they may not always be assigned to all of them
@ -547,7 +548,7 @@ public class CollectionsController : Controller
    {
        IEnumerable<Collection> orgCollections;

-        var readAllAuthorized = (await _authorizationService.AuthorizeAsync(User, null, CollectionOperations.ReadAll(orgId))).Succeeded;
+        var readAllAuthorized = (await _authorizationService.AuthorizeAsync(User, CollectionOperations.ReadAll(orgId))).Succeeded;
        if (readAllAuthorized)
        {
            orgCollections = await _collectionRepository.GetManyByOrganizationIdAsync(orgId);
--- a/src/Api/Utilities/AuthorizationServiceExtensions.cs
+++ b/src/Api/Utilities/AuthorizationServiceExtensions.cs
@ -0,0 +1,32 @@
+using System.Security.Claims;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Api.Utilities;
+
+public static class AuthorizationServiceExtensions
+{
+    /// <summary>
+    /// Checks if a user meets a specific requirement.
+    /// </summary>
+    /// <param name="service">The <see cref="IAuthorizationService"/> providing authorization.</param>
+    /// <param name="user">The user to evaluate the policy against.</param>
+    /// <param name="requirement">The requirement to evaluate the policy against.</param>
+    /// <returns>
+    /// A flag indicating whether requirement evaluation has succeeded or failed.
+    /// This value is <value>true</value> when the user fulfills the policy, otherwise <value>false</value>.
+    /// </returns>
+    public static Task<AuthorizationResult> AuthorizeAsync(this IAuthorizationService service, ClaimsPrincipal user, IAuthorizationRequirement requirement)
+    {
+        if (service == null)
+        {
+            throw new ArgumentNullException(nameof(service));
+        }
+
+        if (requirement == null)
+        {
+            throw new ArgumentNullException(nameof(requirement));
+        }
+
+        return service.AuthorizeAsync(user, resource: null, new[] { requirement });
+    }
+}