[SM-390] Project Access Policies (#2507)

The purpose of this PR is to create server endpoints for creating, reading, updating, and deleting access policies for projects.

src/Api/Controllers/AccessPoliciesController.cs

@@ -0,0 +1,69 @@
+using Bit.Api.SecretManagerFeatures.Models.Request;
+using Bit.Api.SecretManagerFeatures.Models.Response;
+using Bit.Api.Utilities;
+using Bit.Core.Entities;
+using Bit.Core.Repositories;
+using Bit.Core.SecretManagerFeatures.AccessPolicies.Interfaces;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Bit.Api.Controllers;
+
+[SecretsManager]
+[Route("access-policies")]
+public class AccessPoliciesController : Controller
+{
+    private readonly IAccessPolicyRepository _accessPolicyRepository;
+    private readonly ICreateAccessPoliciesCommand _createAccessPoliciesCommand;
+    private readonly IDeleteAccessPolicyCommand _deleteAccessPolicyCommand;
+    private readonly IUpdateAccessPolicyCommand _updateAccessPolicyCommand;
+
+    public AccessPoliciesController(
+        IAccessPolicyRepository accessPolicyRepository,
+        ICreateAccessPoliciesCommand createAccessPoliciesCommand,
+        IDeleteAccessPolicyCommand deleteAccessPolicyCommand,
+        IUpdateAccessPolicyCommand updateAccessPolicyCommand)
+    {
+        _accessPolicyRepository = accessPolicyRepository;
+        _createAccessPoliciesCommand = createAccessPoliciesCommand;
+        _deleteAccessPolicyCommand = deleteAccessPolicyCommand;
+        _updateAccessPolicyCommand = updateAccessPolicyCommand;
+    }
+
+    [HttpPost("/projects/{id}/access-policies")]
+    public async Task<ProjectAccessPoliciesResponseModel> CreateProjectAccessPoliciesAsync([FromRoute] Guid id,
+        [FromBody] AccessPoliciesCreateRequest request)
+    {
+        var policies = request.ToBaseAccessPoliciesForProject(id);
+        var results = await _createAccessPoliciesCommand.CreateAsync(policies);
+        return new ProjectAccessPoliciesResponseModel(results);
+    }
+
+    [HttpGet("/projects/{id}/access-policies")]
+    public async Task<ProjectAccessPoliciesResponseModel> GetProjectAccessPoliciesAsync([FromRoute] Guid id)
+    {
+        var results = await _accessPolicyRepository.GetManyByProjectId(id);
+        return new ProjectAccessPoliciesResponseModel(results);
+    }
+
+    [HttpPut("{id}")]
+    public async Task<BaseAccessPolicyResponseModel> UpdateAccessPolicyAsync([FromRoute] Guid id,
+        [FromBody] AccessPolicyUpdateRequest request)
+    {
+        var result = await _updateAccessPolicyCommand.UpdateAsync(id, request.Read, request.Write);
+
+        return result switch
+        {
+            UserProjectAccessPolicy accessPolicy => new UserProjectAccessPolicyResponseModel(accessPolicy),
+            GroupProjectAccessPolicy accessPolicy => new GroupProjectAccessPolicyResponseModel(accessPolicy),
+            ServiceAccountProjectAccessPolicy accessPolicy => new ServiceAccountProjectAccessPolicyResponseModel(
+                accessPolicy),
+            _ => throw new ArgumentException("Unsupported access policy type provided.")
+        };
+    }
+
+    [HttpDelete("{id}")]
+    public async Task DeleteAccessPolicyAsync([FromRoute] Guid id)
+    {
+        await _deleteAccessPolicyCommand.DeleteAsync(id);
+    }
+}

src/Api/SecretManagerFeatures/Models/Request/AccessPoliciesCreateRequest.cs

@@ -0,0 +1,77 @@
+#nullable enable
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+
+namespace Bit.Api.SecretManagerFeatures.Models.Request;
+
+public class AccessPoliciesCreateRequest
+{
+    public IEnumerable<AccessPolicyRequest>? UserAccessPolicyRequests { get; set; }
+
+    public IEnumerable<AccessPolicyRequest>? GroupAccessPolicyRequests { get; set; }
+
+    public IEnumerable<AccessPolicyRequest>? ServiceAccountAccessPolicyRequests { get; set; }
+
+    public List<BaseAccessPolicy> ToBaseAccessPoliciesForProject(Guid projectId)
+    {
+        if (UserAccessPolicyRequests == null && GroupAccessPolicyRequests == null && ServiceAccountAccessPolicyRequests == null)
+        {
+            throw new BadRequestException("No creation requests provided.");
+        }
+
+        var userAccessPolicies = UserAccessPolicyRequests?
+            .Select(x => x.ToUserProjectAccessPolicy(projectId)).ToList();
+
+        var groupAccessPolicies = GroupAccessPolicyRequests?
+            .Select(x => x.ToGroupProjectAccessPolicy(projectId)).ToList();
+
+        var serviceAccountAccessPolicies = ServiceAccountAccessPolicyRequests?
+            .Select(x => x.ToServiceAccountProjectAccessPolicy(projectId)).ToList();
+
+        var policies = new List<BaseAccessPolicy>();
+        if (userAccessPolicies != null) { policies.AddRange(userAccessPolicies); }
+        if (groupAccessPolicies != null) { policies.AddRange(groupAccessPolicies); }
+        if (serviceAccountAccessPolicies != null) { policies.AddRange(serviceAccountAccessPolicies); }
+        return policies;
+    }
+}
+
+public class AccessPolicyRequest
+{
+    [Required]
+    public Guid GranteeId { get; set; }
+
+    [Required]
+    public bool Read { get; set; }
+
+    [Required]
+    public bool Write { get; set; }
+
+    public UserProjectAccessPolicy ToUserProjectAccessPolicy(Guid projectId) =>
+        new()
+        {
+            OrganizationUserId = GranteeId,
+            GrantedProjectId = projectId,
+            Read = Read,
+            Write = Write
+        };
+
+    public GroupProjectAccessPolicy ToGroupProjectAccessPolicy(Guid projectId) =>
+        new()
+        {
+            GroupId = GranteeId,
+            GrantedProjectId = projectId,
+            Read = Read,
+            Write = Write
+        };
+
+    public ServiceAccountProjectAccessPolicy ToServiceAccountProjectAccessPolicy(Guid projectId) =>
+        new()
+        {
+            ServiceAccountId = GranteeId,
+            GrantedProjectId = projectId,
+            Read = Read,
+            Write = Write
+        };
+}

src/Api/SecretManagerFeatures/Models/Request/AccessPolicyUpdateRequest.cs

@@ -0,0 +1,12 @@
+using System.ComponentModel.DataAnnotations;
+
+namespace Bit.Api.SecretManagerFeatures.Models.Request;
+
+public class AccessPolicyUpdateRequest
+{
+    [Required]
+    public bool Read { get; set; }
+
+    [Required]
+    public bool Write { get; set; }
+}

src/Api/SecretManagerFeatures/Models/Response/AccessPolicyResponseModel.cs

@@ -0,0 +1,128 @@
+#nullable enable
+using Bit.Core.Entities;
+using Bit.Core.Models.Api;
+
+namespace Bit.Api.SecretManagerFeatures.Models.Response;
+
+public abstract class BaseAccessPolicyResponseModel : ResponseModel
+{
+    protected BaseAccessPolicyResponseModel(BaseAccessPolicy baseAccessPolicy, string obj) : base(obj)
+    {
+        Id = baseAccessPolicy.Id;
+        Read = baseAccessPolicy.Read;
+        Write = baseAccessPolicy.Write;
+        CreationDate = baseAccessPolicy.CreationDate;
+        RevisionDate = baseAccessPolicy.RevisionDate;
+    }
+
+    public Guid Id { get; set; }
+    public bool Read { get; set; }
+    public bool Write { get; set; }
+    public DateTime CreationDate { get; set; }
+    public DateTime RevisionDate { get; set; }
+}
+
+public class UserProjectAccessPolicyResponseModel : BaseAccessPolicyResponseModel
+{
+    private const string _objectName = "userProjectAccessPolicy";
+
+    public UserProjectAccessPolicyResponseModel(UserProjectAccessPolicy accessPolicy) : base(accessPolicy, _objectName)
+    {
+        OrganizationUserId = accessPolicy.OrganizationUserId;
+        GrantedProjectId = accessPolicy.GrantedProjectId;
+        OrganizationUserName = accessPolicy.User?.Name;
+    }
+
+    public UserProjectAccessPolicyResponseModel() : base(new UserProjectAccessPolicy(), _objectName)
+    {
+    }
+
+    public Guid? OrganizationUserId { get; set; }
+    public string? OrganizationUserName { get; set; }
+    public Guid? GrantedProjectId { get; set; }
+}
+
+public class UserServiceAccountAccessPolicyResponseModel : BaseAccessPolicyResponseModel
+{
+    private const string _objectName = "userServiceAccountAccessPolicy";
+
+    public UserServiceAccountAccessPolicyResponseModel(UserServiceAccountAccessPolicy accessPolicy)
+        : base(accessPolicy, _objectName)
+    {
+        OrganizationUserId = accessPolicy.OrganizationUserId;
+        GrantedServiceAccountId = accessPolicy.GrantedServiceAccountId;
+        OrganizationUserName = accessPolicy.User?.Name;
+    }
+
+    public UserServiceAccountAccessPolicyResponseModel() : base(new UserServiceAccountAccessPolicy(), _objectName)
+    {
+    }
+
+    public Guid? OrganizationUserId { get; set; }
+    public string? OrganizationUserName { get; set; }
+    public Guid? GrantedServiceAccountId { get; set; }
+}
+
+public class GroupProjectAccessPolicyResponseModel : BaseAccessPolicyResponseModel
+{
+    private const string _objectName = "groupProjectAccessPolicy";
+
+    public GroupProjectAccessPolicyResponseModel(GroupProjectAccessPolicy accessPolicy)
+        : base(accessPolicy, _objectName)
+    {
+        GroupId = accessPolicy.GroupId;
+        GrantedProjectId = accessPolicy.GrantedProjectId;
+        GroupName = accessPolicy.Group?.Name;
+    }
+
+    public GroupProjectAccessPolicyResponseModel() : base(new GroupProjectAccessPolicy(), _objectName)
+    {
+    }
+
+    public Guid? GroupId { get; set; }
+    public string? GroupName { get; set; }
+    public Guid? GrantedProjectId { get; set; }
+}
+
+public class GroupServiceAccountAccessPolicyResponseModel : BaseAccessPolicyResponseModel
+{
+    private const string _objectName = "groupServiceAccountAccessPolicy";
+
+    public GroupServiceAccountAccessPolicyResponseModel(GroupServiceAccountAccessPolicy accessPolicy)
+        : base(accessPolicy, _objectName)
+    {
+        GroupId = accessPolicy.GroupId;
+        GroupName = accessPolicy.Group?.Name;
+        GrantedServiceAccountId = accessPolicy.GrantedServiceAccountId;
+    }
+
+    public GroupServiceAccountAccessPolicyResponseModel() : base(new GroupServiceAccountAccessPolicy(), _objectName)
+    {
+    }
+
+    public Guid? GroupId { get; set; }
+    public string? GroupName { get; set; }
+    public Guid? GrantedServiceAccountId { get; set; }
+}
+
+public class ServiceAccountProjectAccessPolicyResponseModel : BaseAccessPolicyResponseModel
+{
+    private const string _objectName = "serviceAccountProjectAccessPolicy";
+
+    public ServiceAccountProjectAccessPolicyResponseModel(ServiceAccountProjectAccessPolicy accessPolicy)
+        : base(accessPolicy, _objectName)
+    {
+        ServiceAccountId = accessPolicy.ServiceAccountId;
+        GrantedProjectId = accessPolicy.GrantedProjectId;
+        ServiceAccountName = accessPolicy.ServiceAccount?.Name;
+    }
+
+    public ServiceAccountProjectAccessPolicyResponseModel()
+        : base(new ServiceAccountProjectAccessPolicy(), _objectName)
+    {
+    }
+
+    public Guid? ServiceAccountId { get; set; }
+    public string? ServiceAccountName { get; set; }
+    public Guid? GrantedProjectId { get; set; }
+}

src/Api/SecretManagerFeatures/Models/Response/ProjectAccessPoliciesResponseModel.cs

@@ -0,0 +1,43 @@
+using Bit.Core.Entities;
+using Bit.Core.Models.Api;
+
+namespace Bit.Api.SecretManagerFeatures.Models.Response;
+
+public class ProjectAccessPoliciesResponseModel : ResponseModel
+{
+    private const string _objectName = "projectAccessPolicies";
+
+    public ProjectAccessPoliciesResponseModel(IEnumerable<BaseAccessPolicy> baseAccessPolicies)
+        : base(_objectName)
+    {
+        if (baseAccessPolicies == null)
+        {
+            return;
+        }
+
+        foreach (var baseAccessPolicy in baseAccessPolicies)
+            switch (baseAccessPolicy)
+            {
+                case UserProjectAccessPolicy accessPolicy:
+                    UserAccessPolicies.Add(new UserProjectAccessPolicyResponseModel(accessPolicy));
+                    break;
+                case GroupProjectAccessPolicy accessPolicy:
+                    GroupAccessPolicies.Add(new GroupProjectAccessPolicyResponseModel(accessPolicy));
+                    break;
+                case ServiceAccountProjectAccessPolicy accessPolicy:
+                    ServiceAccountAccessPolicies.Add(
+                        new ServiceAccountProjectAccessPolicyResponseModel(accessPolicy));
+                    break;
+            }
+    }
+
+    public ProjectAccessPoliciesResponseModel() : base(_objectName)
+    {
+    }
+
+    public List<UserProjectAccessPolicyResponseModel> UserAccessPolicies { get; set; } = new();
+
+    public List<GroupProjectAccessPolicyResponseModel> GroupAccessPolicies { get; set; } = new();
+
+    public List<ServiceAccountProjectAccessPolicyResponseModel> ServiceAccountAccessPolicies { get; set; } = new();
+}