API to get org policies by invite token (#661)

* API to get org policies by invite token

* from query attr

src/Api/Controllers/PoliciesController.cs

@@ -9,6 +9,8 @@ using Bit.Core.Exceptions;
 using Bit.Core.Services;
 using Bit.Core;
 using Bit.Core.Enums;
+using Bit.Core.Utilities;
+using Microsoft.AspNetCore.DataProtection;
 
 namespace Bit.Api.Controllers
 {
@@ -19,21 +21,31 @@ namespace Bit.Api.Controllers
         private readonly IPolicyRepository _policyRepository;
         private readonly IPolicyService _policyService;
         private readonly IOrganizationService _organizationService;
+        private readonly IOrganizationUserRepository _organizationUserRepository;
         private readonly IUserService _userService;
         private readonly CurrentContext _currentContext;
+        private readonly GlobalSettings _globalSettings;
+        private readonly IDataProtector _organizationServiceDataProtector;
 
         public PoliciesController(
             IPolicyRepository policyRepository,
             IPolicyService policyService,
             IOrganizationService organizationService,
+            IOrganizationUserRepository organizationUserRepository,
             IUserService userService,
-            CurrentContext currentContext)
+            CurrentContext currentContext,
+            GlobalSettings globalSettings,
+            IDataProtectionProvider dataProtectionProvider)
         {
             _policyRepository = policyRepository;
             _policyService = policyService;
             _organizationService = organizationService;
+            _organizationUserRepository = organizationUserRepository;
             _userService = userService;
             _currentContext = currentContext;
+            _globalSettings = globalSettings;
+            _organizationServiceDataProtector = dataProtectionProvider.CreateProtector(
+                "OrganizationServiceDataProtector");
         }
 
         [HttpGet("{type}")]
@@ -67,6 +79,31 @@ namespace Bit.Api.Controllers
             return new ListResponseModel<PolicyResponseModel>(responses);
         }
 
+        [AllowAnonymous]
+        [HttpGet("token")]
+        public async Task<ListResponseModel<PolicyResponseModel>> GetByToken(string orgId, [FromQuery]string email,
+            [FromQuery]string token, [FromQuery]string organizationUserId)
+        {
+            var orgUserId = new Guid(organizationUserId);
+            var tokenValid = CoreHelpers.UserInviteTokenIsValid(_organizationServiceDataProtector, token,
+                email, orgUserId, _globalSettings);
+            if(!tokenValid)
+            {
+                throw new NotFoundException();
+            }
+
+            var orgIdGuid = new Guid(orgId);
+            var orgUser = await _organizationUserRepository.GetByIdAsync(orgUserId);
+            if(orgUser == null || orgUser.OrganizationId != orgIdGuid)
+            {
+                throw new NotFoundException();
+            }
+
+            var policies = await _policyRepository.GetManyByOrganizationIdAsync(orgIdGuid);
+            var responses = policies.Select(p => new PolicyResponseModel(p));
+            return new ListResponseModel<PolicyResponseModel>(responses);
+        }
+
         [HttpPut("{type}")]
         public async Task<PolicyResponseModel> Put(string orgId, int type, [FromBody]PolicyRequestModel model)
         {