[SM-390] Project Access Policies (#2507)

The purpose of this PR is to create server endpoints for creating, reading, updating, and deleting access policies for projects.
2025-07-04 01:22:50 -05:00 · 2023-01-19 17:31:19 -06:00
parent ae647bbf44
commit 53ba2eeb18
24 changed files with 1133 additions and 63 deletions
--- a/src/Api/Controllers/AccessPoliciesController.cs
+++ b/src/Api/Controllers/AccessPoliciesController.cs
@ -0,0 +1,69 @@
+using Bit.Api.SecretManagerFeatures.Models.Request;
+using Bit.Api.SecretManagerFeatures.Models.Response;
+using Bit.Api.Utilities;
+using Bit.Core.Entities;
+using Bit.Core.Repositories;
+using Bit.Core.SecretManagerFeatures.AccessPolicies.Interfaces;
+using Microsoft.AspNetCore.Mvc;
+
+namespace Bit.Api.Controllers;
+
+[SecretsManager]
+[Route("access-policies")]
+public class AccessPoliciesController : Controller
+{
+    private readonly IAccessPolicyRepository _accessPolicyRepository;
+    private readonly ICreateAccessPoliciesCommand _createAccessPoliciesCommand;
+    private readonly IDeleteAccessPolicyCommand _deleteAccessPolicyCommand;
+    private readonly IUpdateAccessPolicyCommand _updateAccessPolicyCommand;
+
+    public AccessPoliciesController(
+        IAccessPolicyRepository accessPolicyRepository,
+        ICreateAccessPoliciesCommand createAccessPoliciesCommand,
+        IDeleteAccessPolicyCommand deleteAccessPolicyCommand,
+        IUpdateAccessPolicyCommand updateAccessPolicyCommand)
+    {
+        _accessPolicyRepository = accessPolicyRepository;
+        _createAccessPoliciesCommand = createAccessPoliciesCommand;
+        _deleteAccessPolicyCommand = deleteAccessPolicyCommand;
+        _updateAccessPolicyCommand = updateAccessPolicyCommand;
+    }
+
+    [HttpPost("/projects/{id}/access-policies")]
+    public async Task<ProjectAccessPoliciesResponseModel> CreateProjectAccessPoliciesAsync([FromRoute] Guid id,
+        [FromBody] AccessPoliciesCreateRequest request)
+    {
+        var policies = request.ToBaseAccessPoliciesForProject(id);
+        var results = await _createAccessPoliciesCommand.CreateAsync(policies);
+        return new ProjectAccessPoliciesResponseModel(results);
+    }
+
+    [HttpGet("/projects/{id}/access-policies")]
+    public async Task<ProjectAccessPoliciesResponseModel> GetProjectAccessPoliciesAsync([FromRoute] Guid id)
+    {
+        var results = await _accessPolicyRepository.GetManyByProjectId(id);
+        return new ProjectAccessPoliciesResponseModel(results);
+    }
+
+    [HttpPut("{id}")]
+    public async Task<BaseAccessPolicyResponseModel> UpdateAccessPolicyAsync([FromRoute] Guid id,
+        [FromBody] AccessPolicyUpdateRequest request)
+    {
+        var result = await _updateAccessPolicyCommand.UpdateAsync(id, request.Read, request.Write);
+
+        return result switch
+        {
+            UserProjectAccessPolicy accessPolicy => new UserProjectAccessPolicyResponseModel(accessPolicy),
+            GroupProjectAccessPolicy accessPolicy => new GroupProjectAccessPolicyResponseModel(accessPolicy),
+            ServiceAccountProjectAccessPolicy accessPolicy => new ServiceAccountProjectAccessPolicyResponseModel(
+                accessPolicy),
+            _ => throw new ArgumentException("Unsupported access policy type provided.")
+        };
+    }
+
+    [HttpDelete("{id}")]
+    public async Task DeleteAccessPolicyAsync([FromRoute] Guid id)
+    {
+        await _deleteAccessPolicyCommand.DeleteAsync(id);
+    }
+}