mirror of
https://github.com/bitwarden/server.git
synced 2025-06-30 15:42:48 -05:00
[SM-574] Wire up read/write for secret list and secret response (#2767)
* Wire up read/write for secret list and secret response * Fix trash * Remove UserHasReadPermission * Fix list by project * Implement admin and service accounts for AccessToSecretAsync * Resolve feedback * Fix tests * Rename function * Change create to return true, true * Remove duplicated access check
This commit is contained in:
Oscar Hinton
@ -8,7 +8,6 @@ using Bit.Core.Identity;
|
||||
using Bit.Core.Models.Business;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.SecretsManager.Commands.Secrets.Interfaces;
|
||||
using Bit.Core.SecretsManager.Entities;
|
||||
using Bit.Core.SecretsManager.Repositories;
|
||||
using Bit.Core.Services;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
@ -83,7 +82,9 @@ public class SecretsController : Controller
|
||||
|
||||
var userId = _userService.GetProperUserId(User).Value;
|
||||
var result = await _createSecretCommand.CreateAsync(createRequest.ToSecret(organizationId), userId);
|
||||
return new SecretResponseModel(result);
|
||||
|
||||
// Creating a secret means you have read & write permission.
|
||||
return new SecretResponseModel(result, true, true);
|
||||
}
|
||||
|
||||
[HttpGet("secrets/{id}")]
|
||||
@ -96,21 +97,26 @@ public class SecretsController : Controller
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
if (!await UserHasReadAccessToSecret(secret))
|
||||
var userId = _userService.GetProperUserId(User).Value;
|
||||
var orgAdmin = await _currentContext.OrganizationAdmin(secret.OrganizationId);
|
||||
var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
|
||||
|
||||
var access = await _secretRepository.AccessToSecretAsync(id, userId, accessClient);
|
||||
|
||||
if (!access.Read)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
if (_currentContext.ClientType == ClientType.ServiceAccount)
|
||||
{
|
||||
var userId = _userService.GetProperUserId(User).Value;
|
||||
await _eventService.LogServiceAccountSecretEventAsync(userId, secret, EventType.Secret_Retrieved);
|
||||
|
||||
var org = await _organizationRepository.GetByIdAsync(secret.OrganizationId);
|
||||
await _referenceEventService.RaiseEventAsync(new ReferenceEvent(ReferenceEventType.SmServiceAccountAccessedSecret, org));
|
||||
}
|
||||
|
||||
return new SecretResponseModel(secret);
|
||||
return new SecretResponseModel(secret, access.Read, access.Write);
|
||||
}
|
||||
|
||||
[HttpGet("projects/{projectId}/secrets")]
|
||||
@ -137,7 +143,9 @@ public class SecretsController : Controller
|
||||
var userId = _userService.GetProperUserId(User).Value;
|
||||
var secret = updateRequest.ToSecret(id);
|
||||
var result = await _updateSecretCommand.UpdateAsync(secret, userId);
|
||||
return new SecretResponseModel(result);
|
||||
|
||||
// Updating a secret means you have read & write permission.
|
||||
return new SecretResponseModel(result, true, true);
|
||||
}
|
||||
|
||||
[HttpPost("secrets/delete")]
|
||||
@ -148,26 +156,4 @@ public class SecretsController : Controller
|
||||
var responses = results.Select(r => new BulkDeleteResponseModel(r.Item1.Id, r.Item2));
|
||||
return new ListResponseModel<BulkDeleteResponseModel>(responses);
|
||||
}
|
||||
|
||||
public async Task<bool> UserHasReadAccessToSecret(Secret secret)
|
||||
{
|
||||
var userId = _userService.GetProperUserId(User).Value;
|
||||
var orgAdmin = await _currentContext.OrganizationAdmin(secret.OrganizationId);
|
||||
var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
|
||||
var hasAccess = orgAdmin;
|
||||
|
||||
if (secret.Projects?.Count > 0)
|
||||
{
|
||||
Guid projectId = secret.Projects.FirstOrDefault().Id;
|
||||
hasAccess = accessClient switch
|
||||
{
|
||||
AccessClientType.NoAccessCheck => true,
|
||||
AccessClientType.User => await _projectRepository.UserHasReadAccessToProject(projectId, userId),
|
||||
AccessClientType.ServiceAccount => await _projectRepository.ServiceAccountHasReadAccessToProject(projectId, userId),
|
||||
_ => false,
|
||||
};
|
||||
}
|
||||
|
||||
return hasAccess;
|
||||
}
|
||||
}
|
||||
|
||||
@ -47,7 +47,7 @@ public class SecretsManagerPortingController : Controller
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
return new SMExportResponseModel(projects, secrets);
|
||||
return new SMExportResponseModel(projects, secrets.Select(s => s.Secret));
|
||||
}
|
||||
|
||||
[HttpPost("sm/{organizationId}/import")]
|
||||
|
||||
@ -7,7 +7,7 @@ public class SecretResponseModel : ResponseModel
|
||||
{
|
||||
private const string _objectName = "secret";
|
||||
|
||||
public SecretResponseModel(Secret secret) : base(_objectName)
|
||||
public SecretResponseModel(Secret secret, bool read, bool write) : base(_objectName)
|
||||
{
|
||||
if (secret == null)
|
||||
{
|
||||
@ -22,6 +22,9 @@ public class SecretResponseModel : ResponseModel
|
||||
CreationDate = secret.CreationDate;
|
||||
RevisionDate = secret.RevisionDate;
|
||||
Projects = secret.Projects?.Select(p => new InnerProject(p));
|
||||
|
||||
Read = read;
|
||||
Write = write;
|
||||
}
|
||||
|
||||
public SecretResponseModel() : base(_objectName)
|
||||
@ -44,6 +47,10 @@ public class SecretResponseModel : ResponseModel
|
||||
|
||||
public IEnumerable<InnerProject> Projects { get; set; }
|
||||
|
||||
public bool Read { get; set; }
|
||||
|
||||
public bool Write { get; set; }
|
||||
|
||||
public class InnerProject
|
||||
{
|
||||
public InnerProject(Project project)
|
||||
|
||||
@ -1,5 +1,6 @@
|
||||
using Bit.Core.Models.Api;
|
||||
using Bit.Core.SecretsManager.Entities;
|
||||
using Bit.Core.SecretsManager.Models.Data;
|
||||
|
||||
namespace Bit.Api.SecretsManager.Models.Response;
|
||||
|
||||
@ -7,10 +8,10 @@ public class SecretWithProjectsListResponseModel : ResponseModel
|
||||
{
|
||||
private const string _objectName = "SecretsWithProjectsList";
|
||||
|
||||
public SecretWithProjectsListResponseModel(IEnumerable<Secret> secrets) : base(_objectName)
|
||||
public SecretWithProjectsListResponseModel(IEnumerable<SecretPermissionDetails> secrets) : base(_objectName)
|
||||
{
|
||||
Secrets = secrets.Select(s => new InnerSecret(s));
|
||||
Projects = secrets.SelectMany(s => s.Projects).DistinctBy(p => p.Id).Select(p => new InnerProject(p));
|
||||
Projects = secrets.SelectMany(s => s.Secret.Projects).DistinctBy(p => p.Id).Select(p => new InnerProject(p));
|
||||
}
|
||||
|
||||
public SecretWithProjectsListResponseModel() : base(_objectName)
|
||||
@ -38,14 +39,16 @@ public class SecretWithProjectsListResponseModel : ResponseModel
|
||||
|
||||
public class InnerSecret
|
||||
{
|
||||
public InnerSecret(Secret secret)
|
||||
public InnerSecret(SecretPermissionDetails secret)
|
||||
{
|
||||
Id = secret.Id.ToString();
|
||||
OrganizationId = secret.OrganizationId.ToString();
|
||||
Key = secret.Key;
|
||||
CreationDate = secret.CreationDate;
|
||||
RevisionDate = secret.RevisionDate;
|
||||
Projects = secret.Projects?.Select(p => new InnerProject(p));
|
||||
Id = secret.Secret.Id.ToString();
|
||||
OrganizationId = secret.Secret.OrganizationId.ToString();
|
||||
Key = secret.Secret.Key;
|
||||
CreationDate = secret.Secret.CreationDate;
|
||||
RevisionDate = secret.Secret.RevisionDate;
|
||||
Projects = secret.Secret.Projects?.Select(p => new InnerProject(p));
|
||||
Read = secret.Read;
|
||||
Write = secret.Write;
|
||||
}
|
||||
|
||||
public InnerSecret()
|
||||
@ -63,6 +66,8 @@ public class SecretWithProjectsListResponseModel : ResponseModel
|
||||
public DateTime RevisionDate { get; set; }
|
||||
|
||||
public IEnumerable<InnerProject> Projects { get; set; }
|
||||
public bool Read { get; set; }
|
||||
public bool Write { get; set; }
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user