[SM-380] Access checks for listing projects (#2496)

* Add project access checks for listing

src/Api/Controllers/ProjectsController.cs

@@ -2,6 +2,8 @@
 using Bit.Api.SecretManagerFeatures.Models.Request;
 using Bit.Api.SecretManagerFeatures.Models.Response;
 using Bit.Api.Utilities;
+using Bit.Core.Context;
+using Bit.Core.Enums;
 using Bit.Core.Exceptions;
 using Bit.Core.Repositories;
 using Bit.Core.SecretManagerFeatures.Projects.Interfaces;
@@ -18,24 +20,32 @@ public class ProjectsController : Controller
     private readonly ICreateProjectCommand _createProjectCommand;
     private readonly IUpdateProjectCommand _updateProjectCommand;
     private readonly IDeleteProjectCommand _deleteProjectCommand;
+    private readonly ICurrentContext _currentContext;
 
     public ProjectsController(
         IUserService userService,
         IProjectRepository projectRepository,
         ICreateProjectCommand createProjectCommand,
         IUpdateProjectCommand updateProjectCommand,
-        IDeleteProjectCommand deleteProjectCommand)
+        IDeleteProjectCommand deleteProjectCommand,
+        ICurrentContext currentContext)
     {
         _userService = userService;
         _projectRepository = projectRepository;
         _createProjectCommand = createProjectCommand;
         _updateProjectCommand = updateProjectCommand;
         _deleteProjectCommand = deleteProjectCommand;
+        _currentContext = currentContext;
     }
 
     [HttpPost("organizations/{organizationId}/projects")]
     public async Task<ProjectResponseModel> CreateAsync([FromRoute] Guid organizationId, [FromBody] ProjectCreateRequestModel createRequest)
     {
+        if (!await _currentContext.OrganizationUser(organizationId))
+        {
+            throw new NotFoundException();
+        }
+
         var result = await _createProjectCommand.CreateAsync(createRequest.ToProject(organizationId));
         return new ProjectResponseModel(result);
     }
@@ -43,15 +53,22 @@ public class ProjectsController : Controller
     [HttpPut("projects/{id}")]
     public async Task<ProjectResponseModel> UpdateProjectAsync([FromRoute] Guid id, [FromBody] ProjectUpdateRequestModel updateRequest)
     {
-        var result = await _updateProjectCommand.UpdateAsync(updateRequest.ToProject(id));
+        var userId = _userService.GetProperUserId(User).Value;
+
+        var result = await _updateProjectCommand.UpdateAsync(updateRequest.ToProject(id), userId);
         return new ProjectResponseModel(result);
     }
 
     [HttpGet("organizations/{organizationId}/projects")]
-    public async Task<ListResponseModel<ProjectResponseModel>> GetProjectsByOrganizationAsync([FromRoute] Guid organizationId)
+    public async Task<ListResponseModel<ProjectResponseModel>> GetProjectsByOrganizationAsync(
+        [FromRoute] Guid organizationId)
     {
         var userId = _userService.GetProperUserId(User).Value;
-        var projects = await _projectRepository.GetManyByOrganizationIdAsync(organizationId, userId);
+        var orgAdmin = await _currentContext.OrganizationAdmin(organizationId);
+        var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
+
+        var projects = await _projectRepository.GetManyByOrganizationIdAsync(organizationId, userId, accessClient);
+
         var responses = projects.Select(project => new ProjectResponseModel(project));
         return new ListResponseModel<ProjectResponseModel>(responses);
     }
@@ -64,13 +81,32 @@ public class ProjectsController : Controller
         {
             throw new NotFoundException();
         }
+
+        var userId = _userService.GetProperUserId(User).Value;
+        var orgAdmin = await _currentContext.OrganizationAdmin(project.OrganizationId);
+        var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
+
+        var hasAccess = accessClient switch
+        {
+            AccessClientType.NoAccessCheck => true,
+            AccessClientType.User => await _projectRepository.UserHasReadAccessToProject(id, userId),
+            _ => false,
+        };
+
+        if (!hasAccess)
+        {
+            throw new NotFoundException();
+        }
+
         return new ProjectResponseModel(project);
     }
 
     [HttpPost("projects/delete")]
     public async Task<ListResponseModel<BulkDeleteResponseModel>> BulkDeleteProjectsAsync([FromBody] List<Guid> ids)
     {
-        var results = await _deleteProjectCommand.DeleteProjects(ids);
+        var userId = _userService.GetProperUserId(User).Value;
+
+        var results = await _deleteProjectCommand.DeleteProjects(ids, userId);
         var responses = results.Select(r => new BulkDeleteResponseModel(r.Item1.Id, r.Item2));
         return new ListResponseModel<BulkDeleteResponseModel>(responses);
     }

src/Core/Context/CurrentContext.cs

@@ -34,6 +34,7 @@ public class CurrentContext : ICurrentContext
     public virtual int? BotScore { get; set; }
     public virtual string ClientId { get; set; }
     public virtual Version ClientVersion { get; set; }
+    public virtual ClientType ClientType { get; set; }
 
     public CurrentContext(IProviderUserRepository providerUserRepository)
     {
@@ -138,6 +139,13 @@ public class CurrentContext : ICurrentContext
             }
         }
 
+        var clientType = GetClaimValue(claimsDict, Claims.Type);
+        if (clientType != null)
+        {
+            Enum.TryParse(clientType, out ClientType c);
+            ClientType = c;
+        }
+
         DeviceIdentifier = GetClaimValue(claimsDict, Claims.Device);
 
         Organizations = GetOrganizations(claimsDict, orgApi);

src/Core/Context/ICurrentContext.cs

@@ -1,6 +1,7 @@
 using System.Security.Claims;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
+using Bit.Core.Identity;
 using Bit.Core.Repositories;
 using Bit.Core.Settings;
 using Microsoft.AspNetCore.Http;
@@ -18,6 +19,7 @@ public interface ICurrentContext
     List<CurrentContentOrganization> Organizations { get; set; }
     Guid? InstallationId { get; set; }
     Guid? OrganizationId { get; set; }
+    ClientType ClientType { get; set; }
     bool IsBot { get; set; }
     bool MaybeBot { get; set; }
     int? BotScore { get; set; }

src/Core/Enums/AccessClientType.cs

@@ -0,0 +1,30 @@
+using Bit.Core.Identity;
+
+namespace Bit.Core.Enums;
+
+public enum AccessClientType
+{
+    NoAccessCheck = -1,
+    User = 0,
+    Organization = 1,
+    ServiceAccount = 2,
+}
+
+public static class AccessClientHelper
+{
+    public static AccessClientType ToAccessClient(ClientType clientType, bool bypassAccessCheck = false)
+    {
+        if (bypassAccessCheck)
+        {
+            return AccessClientType.NoAccessCheck;
+        }
+
+        return clientType switch
+        {
+            ClientType.User => AccessClientType.User,
+            ClientType.Organization => AccessClientType.Organization,
+            ClientType.ServiceAccount => AccessClientType.ServiceAccount,
+            _ => throw new ArgumentOutOfRangeException(nameof(clientType), clientType, null),
+        };
+    }
+}

src/Core/Identity/Claims.cs

@@ -16,4 +16,7 @@ public static class Claims
 
     // Service Account
     public const string Organization = "organization";
+
+    // General
+    public const string Type = "type";
 }

src/Core/Identity/ClientType.cs

@@ -0,0 +1,8 @@
+namespace Bit.Core.Identity;
+
+public enum ClientType : byte
+{
+    User = 0,
+    Organization = 1,
+    ServiceAccount = 2,
+}

src/Core/Repositories/IProjectRepository.cs

@@ -1,13 +1,16 @@
 using Bit.Core.Entities;
+using Bit.Core.Enums;
 
 namespace Bit.Core.Repositories;
 
 public interface IProjectRepository
 {
-    Task<IEnumerable<Project>> GetManyByOrganizationIdAsync(Guid organizationId, Guid userId);
+    Task<IEnumerable<Project>> GetManyByOrganizationIdAsync(Guid organizationId, Guid userId, AccessClientType accessType);
     Task<IEnumerable<Project>> GetManyByIds(IEnumerable<Guid> ids);
     Task<Project> GetByIdAsync(Guid id);
     Task<Project> CreateAsync(Project project);
     Task ReplaceAsync(Project project);
     Task DeleteManyByIdAsync(IEnumerable<Guid> ids);
+    Task<bool> UserHasReadAccessToProject(Guid id, Guid userId);
+    Task<bool> UserHasWriteAccessToProject(Guid id, Guid userId);
 }

src/Core/SecretManagerFeatures/Projects/Interfaces/IDeleteProjectCommand.cs

@@ -4,6 +4,6 @@ namespace Bit.Core.SecretManagerFeatures.Projects.Interfaces;
 
 public interface IDeleteProjectCommand
 {
-    Task<List<Tuple<Project, string>>> DeleteProjects(List<Guid> ids);
+    Task<List<Tuple<Project, string>>> DeleteProjects(List<Guid> ids, Guid userId);
 }
 

src/Core/SecretManagerFeatures/Projects/Interfaces/IUpdateProjectCommand.cs

@@ -4,5 +4,5 @@ namespace Bit.Core.SecretManagerFeatures.Projects.Interfaces;
 
 public interface IUpdateProjectCommand
 {
-    Task<Project> UpdateAsync(Project project);
+    Task<Project> UpdateAsync(Project updatedProject, Guid userId);
 }

src/Identity/IdentityServer/ClientStore.cs

@@ -110,6 +110,7 @@ public class ClientStore : IClientStore
             Claims = new List<ClientClaim>
             {
                 new(JwtClaimTypes.Subject, apiKey.ServiceAccountId.ToString()),
+                new(Claims.Type, ClientType.ServiceAccount.ToString()),
             },
         };
 
@@ -141,6 +142,7 @@ public class ClientStore : IClientStore
         {
             new(JwtClaimTypes.Subject, user.Id.ToString()),
             new(JwtClaimTypes.AuthenticationMethod, "Application", "external"),
+            new(Claims.Type, ClientType.User.ToString()),
         };
         var orgs = await _currentContext.OrganizationMembershipAsync(_organizationUserRepository, user.Id);
         var providers = await _currentContext.ProviderMembershipAsync(_providerUserRepository, user.Id);
@@ -198,6 +200,7 @@ public class ClientStore : IClientStore
             Claims = new List<ClientClaim>
             {
                 new(JwtClaimTypes.Subject, org.Id.ToString()),
+                new(Claims.Type, ClientType.Organization.ToString()),
             },
         };
     }