[SM-380] Access checks for listing projects (#2496)

* Add project access checks for listing
2025-06-30 15:42:48 -05:00 · 2023-01-20 16:33:11 +01:00
parent a7c2ff9dbf
commit 5cd571df64
20 changed files with 452 additions and 69 deletions
--- a/src/Core/Context/CurrentContext.cs
+++ b/src/Core/Context/CurrentContext.cs
@ -34,6 +34,7 @@ public class CurrentContext : ICurrentContext
    public virtual int? BotScore { get; set; }
    public virtual string ClientId { get; set; }
    public virtual Version ClientVersion { get; set; }
+    public virtual ClientType ClientType { get; set; }

    public CurrentContext(IProviderUserRepository providerUserRepository)
    {
@ -138,6 +139,13 @@ public class CurrentContext : ICurrentContext
            }
        }

+        var clientType = GetClaimValue(claimsDict, Claims.Type);
+        if (clientType != null)
+        {
+            Enum.TryParse(clientType, out ClientType c);
+            ClientType = c;
+        }
+
        DeviceIdentifier = GetClaimValue(claimsDict, Claims.Device);

        Organizations = GetOrganizations(claimsDict, orgApi);
--- a/src/Core/Context/ICurrentContext.cs
+++ b/src/Core/Context/ICurrentContext.cs
@ -1,6 +1,7 @@
 using System.Security.Claims;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
+using Bit.Core.Identity;
 using Bit.Core.Repositories;
 using Bit.Core.Settings;
 using Microsoft.AspNetCore.Http;
@ -18,6 +19,7 @@ public interface ICurrentContext
    List<CurrentContentOrganization> Organizations { get; set; }
    Guid? InstallationId { get; set; }
    Guid? OrganizationId { get; set; }
+    ClientType ClientType { get; set; }
    bool IsBot { get; set; }
    bool MaybeBot { get; set; }
    int? BotScore { get; set; }
--- a/src/Core/Enums/AccessClientType.cs
+++ b/src/Core/Enums/AccessClientType.cs
@ -0,0 +1,30 @@
+using Bit.Core.Identity;
+
+namespace Bit.Core.Enums;
+
+public enum AccessClientType
+{
+    NoAccessCheck = -1,
+    User = 0,
+    Organization = 1,
+    ServiceAccount = 2,
+}
+
+public static class AccessClientHelper
+{
+    public static AccessClientType ToAccessClient(ClientType clientType, bool bypassAccessCheck = false)
+    {
+        if (bypassAccessCheck)
+        {
+            return AccessClientType.NoAccessCheck;
+        }
+
+        return clientType switch
+        {
+            ClientType.User => AccessClientType.User,
+            ClientType.Organization => AccessClientType.Organization,
+            ClientType.ServiceAccount => AccessClientType.ServiceAccount,
+            _ => throw new ArgumentOutOfRangeException(nameof(clientType), clientType, null),
+        };
+    }
+}
--- a/src/Core/Identity/Claims.cs
+++ b/src/Core/Identity/Claims.cs
@ -16,4 +16,7 @@ public static class Claims

    // Service Account
    public const string Organization = "organization";
+
+    // General
+    public const string Type = "type";
 }
--- a/src/Core/Identity/ClientType.cs
+++ b/src/Core/Identity/ClientType.cs
@ -0,0 +1,8 @@
+namespace Bit.Core.Identity;
+
+public enum ClientType : byte
+{
+    User = 0,
+    Organization = 1,
+    ServiceAccount = 2,
+}
--- a/src/Core/Repositories/IProjectRepository.cs
+++ b/src/Core/Repositories/IProjectRepository.cs
@ -1,13 +1,16 @@
 using Bit.Core.Entities;
+using Bit.Core.Enums;

 namespace Bit.Core.Repositories;

 public interface IProjectRepository
 {
-    Task<IEnumerable<Project>> GetManyByOrganizationIdAsync(Guid organizationId, Guid userId);
+    Task<IEnumerable<Project>> GetManyByOrganizationIdAsync(Guid organizationId, Guid userId, AccessClientType accessType);
    Task<IEnumerable<Project>> GetManyByIds(IEnumerable<Guid> ids);
    Task<Project> GetByIdAsync(Guid id);
    Task<Project> CreateAsync(Project project);
    Task ReplaceAsync(Project project);
    Task DeleteManyByIdAsync(IEnumerable<Guid> ids);
+    Task<bool> UserHasReadAccessToProject(Guid id, Guid userId);
+    Task<bool> UserHasWriteAccessToProject(Guid id, Guid userId);
 }
--- a/src/Core/SecretManagerFeatures/Projects/Interfaces/IDeleteProjectCommand.cs
+++ b/src/Core/SecretManagerFeatures/Projects/Interfaces/IDeleteProjectCommand.cs
@ -4,6 +4,6 @@ namespace Bit.Core.SecretManagerFeatures.Projects.Interfaces;

 public interface IDeleteProjectCommand
 {
-    Task<List<Tuple<Project, string>>> DeleteProjects(List<Guid> ids);
+    Task<List<Tuple<Project, string>>> DeleteProjects(List<Guid> ids, Guid userId);
 }

--- a/src/Core/SecretManagerFeatures/Projects/Interfaces/IUpdateProjectCommand.cs
+++ b/src/Core/SecretManagerFeatures/Projects/Interfaces/IUpdateProjectCommand.cs
@ -4,5 +4,5 @@ namespace Bit.Core.SecretManagerFeatures.Projects.Interfaces;

 public interface IUpdateProjectCommand
 {
-    Task<Project> UpdateAsync(Project project);
+    Task<Project> UpdateAsync(Project updatedProject, Guid userId);
 }