[PM-11360] Remove export permission for providers (#5051)

- also fix managed collections export from CLI

src/Api/Tools/Authorization/VaultExportAuthorizationHandler.cs

@@ -0,0 +1,38 @@
+using Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Api.Tools.Authorization;
+
+public class VaultExportAuthorizationHandler(ICurrentContext currentContext)
+    : AuthorizationHandler<VaultExportOperationRequirement, OrganizationScope>
+{
+    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
+        VaultExportOperationRequirement requirement, OrganizationScope organizationScope)
+    {
+        var org = currentContext.GetOrganization(organizationScope);
+
+        var authorized = requirement switch
+        {
+            not null when requirement == VaultExportOperations.ExportWholeVault =>
+                CanExportWholeVault(org),
+            not null when requirement == VaultExportOperations.ExportManagedCollections =>
+                CanExportManagedCollections(org),
+            _ => false
+        };
+
+        if (authorized)
+        {
+            context.Succeed(requirement);
+        }
+
+        return Task.FromResult(0);
+    }
+
+    private bool CanExportWholeVault(CurrentContextOrganization organization) => organization is
+    { Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
+    { Type: OrganizationUserType.Custom, Permissions.AccessImportExport: true };
+
+    private bool CanExportManagedCollections(CurrentContextOrganization organization) => organization is not null;
+}

src/Api/Tools/Authorization/VaultExportOperations.cs

@@ -0,0 +1,20 @@
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+
+namespace Bit.Api.Tools.Authorization;
+
+public class VaultExportOperationRequirement : OperationAuthorizationRequirement;
+
+public static class VaultExportOperations
+{
+    /// <summary>
+    /// Exporting the entire organization vault.
+    /// </summary>
+    public static readonly VaultExportOperationRequirement ExportWholeVault =
+        new() { Name = nameof(ExportWholeVault) };
+
+    /// <summary>
+    /// Exporting only the organization items that the user has Can Manage permissions for
+    /// </summary>
+    public static readonly VaultExportOperationRequirement ExportManagedCollections =
+        new() { Name = nameof(ExportManagedCollections) };
+}

src/Api/Tools/Controllers/OrganizationExportController.cs

@@ -1,11 +1,17 @@
 using Bit.Api.Models.Response;
+using Bit.Api.Tools.Authorization;
 using Bit.Api.Tools.Models.Response;
 using Bit.Api.Vault.Models.Response;
+using Bit.Core;
+using Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
 using Bit.Core.Context;
 using Bit.Core.Entities;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Settings;
 using Bit.Core.Vault.Models.Data;
+using Bit.Core.Vault.Queries;
 using Bit.Core.Vault.Services;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
@@ -21,24 +27,41 @@ public class OrganizationExportController : Controller
     private readonly ICollectionService _collectionService;
     private readonly ICipherService _cipherService;
     private readonly GlobalSettings _globalSettings;
+    private readonly IFeatureService _featureService;
+    private readonly IAuthorizationService _authorizationService;
+    private readonly IOrganizationCiphersQuery _organizationCiphersQuery;
+    private readonly ICollectionRepository _collectionRepository;
 
     public OrganizationExportController(
         ICurrentContext currentContext,
         ICipherService cipherService,
         ICollectionService collectionService,
         IUserService userService,
-        GlobalSettings globalSettings)
+        GlobalSettings globalSettings,
+        IFeatureService featureService,
+        IAuthorizationService authorizationService,
+        IOrganizationCiphersQuery organizationCiphersQuery,
+        ICollectionRepository collectionRepository)
     {
         _currentContext = currentContext;
         _cipherService = cipherService;
         _collectionService = collectionService;
         _userService = userService;
         _globalSettings = globalSettings;
+        _featureService = featureService;
+        _authorizationService = authorizationService;
+        _organizationCiphersQuery = organizationCiphersQuery;
+        _collectionRepository = collectionRepository;
     }
 
     [HttpGet("export")]
     public async Task<IActionResult> Export(Guid organizationId)
     {
+        if (_featureService.IsEnabled(FeatureFlagKeys.PM11360RemoveProviderExportPermission))
+        {
+            return await Export_vNext(organizationId);
+        }
+
         var userId = _userService.GetProperUserId(User).Value;
 
         IEnumerable<Collection> orgCollections = await _collectionService.GetOrganizationCollectionsAsync(organizationId);
@@ -65,6 +88,35 @@ public class OrganizationExportController : Controller
         return Ok(organizationExportListResponseModel);
     }
 
+    private async Task<IActionResult> Export_vNext(Guid organizationId)
+    {
+        var canExportAll = await _authorizationService.AuthorizeAsync(User, new OrganizationScope(organizationId),
+            VaultExportOperations.ExportWholeVault);
+        if (canExportAll.Succeeded)
+        {
+            var allOrganizationCiphers = await _organizationCiphersQuery.GetAllOrganizationCiphers(organizationId);
+            var allCollections = await _collectionRepository.GetManyByOrganizationIdAsync(organizationId);
+            return Ok(new OrganizationExportResponseModel(allOrganizationCiphers, allCollections, _globalSettings));
+        }
+
+        var canExportManaged = await _authorizationService.AuthorizeAsync(User, new OrganizationScope(organizationId),
+            VaultExportOperations.ExportManagedCollections);
+        if (canExportManaged.Succeeded)
+        {
+            var userId = _userService.GetProperUserId(User)!.Value;
+
+            var allUserCollections = await _collectionRepository.GetManyByUserIdAsync(userId);
+            var managedOrgCollections = allUserCollections.Where(c => c.OrganizationId == organizationId && c.Manage).ToList();
+            var managedCiphers =
+                await _organizationCiphersQuery.GetOrganizationCiphersByCollectionIds(organizationId, managedOrgCollections.Select(c => c.Id));
+
+            return Ok(new OrganizationExportResponseModel(managedCiphers, managedOrgCollections, _globalSettings));
+        }
+
+        // Unauthorized
+        throw new NotFoundException();
+    }
+
     private ListResponseModel<CollectionResponseModel> GetOrganizationCollectionsResponse(IEnumerable<Collection> orgCollections)
     {
         var collections = orgCollections.Select(c => new CollectionResponseModel(c));

src/Api/Tools/Models/Response/OrganizationExportResponseModel.cs

@@ -1,6 +1,9 @@
 using Bit.Api.Models.Response;
 using Bit.Api.Vault.Models.Response;
+using Bit.Core.Entities;
 using Bit.Core.Models.Api;
+using Bit.Core.Settings;
+using Bit.Core.Vault.Models.Data;
 
 namespace Bit.Api.Tools.Models.Response;
 
@@ -10,6 +13,13 @@ public class OrganizationExportResponseModel : ResponseModel
     {
     }
 
+    public OrganizationExportResponseModel(IEnumerable<CipherOrganizationDetailsWithCollections> ciphers,
+        IEnumerable<Collection> collections, GlobalSettings globalSettings) : this()
+    {
+        Ciphers = ciphers.Select(c => new CipherMiniDetailsResponseModel(c, globalSettings));
+        Collections = collections.Select(c => new CollectionResponseModel(c));
+    }
+
     public IEnumerable<CollectionResponseModel> Collections { get; set; }
 
     public IEnumerable<CipherMiniDetailsResponseModel> Ciphers { get; set; }

src/Api/Utilities/ServiceCollectionExtensions.cs

@@ -1,4 +1,5 @@
-using Bit.Api.Vault.AuthorizationHandlers.Collections;
+using Bit.Api.Tools.Authorization;
+using Bit.Api.Vault.AuthorizationHandlers.Collections;
 using Bit.Core.AdminConsole.OrganizationFeatures.Groups.Authorization;
 using Bit.Core.IdentityServer;
 using Bit.Core.Settings;
@@ -99,5 +100,6 @@ public static class ServiceCollectionExtensions
         services.AddScoped<IAuthorizationHandler, BulkCollectionAuthorizationHandler>();
         services.AddScoped<IAuthorizationHandler, CollectionAuthorizationHandler>();
         services.AddScoped<IAuthorizationHandler, GroupAuthorizationHandler>();
+        services.AddScoped<IAuthorizationHandler, VaultExportAuthorizationHandler>();
     }
 }

src/Api/Vault/Models/Response/CipherResponseModel.cs

@@ -166,5 +166,12 @@ public class CipherMiniDetailsResponseModel : CipherMiniResponseModel
         CollectionIds = cipher.CollectionIds ?? new List<Guid>();
     }
 
+    public CipherMiniDetailsResponseModel(CipherOrganizationDetailsWithCollections cipher,
+        GlobalSettings globalSettings, string obj = "cipherMiniDetails")
+        : base(cipher, globalSettings, cipher.OrganizationUseTotp, obj)
+    {
+        CollectionIds = cipher.CollectionIds ?? new List<Guid>();
+    }
+
     public IEnumerable<Guid> CollectionIds { get; set; }
 }

src/Core/Constants.cs

@@ -153,6 +153,7 @@ public static class FeatureFlagKeys
     public const string NewDeviceVerificationPermanentDismiss = "new-device-permanent-dismiss";
     public const string SecurityTasks = "security-tasks";
     public const string PM14401_ScaleMSPOnClientOrganizationUpdate = "PM-14401-scale-msp-on-client-organization-update";
+    public const string PM11360RemoveProviderExportPermission = "pm-11360-remove-provider-export-permission";
     public const string DisableFreeFamiliesSponsorship = "PM-12274-disable-free-families-sponsorship";
     public const string MacOsNativeCredentialSync = "macos-native-credential-sync";
     public const string PM9111ExtensionPersistAddEditForm = "pm-9111-extension-persist-add-edit-form";

src/Core/Vault/Queries/IOrganizationCiphersQuery.cs

@@ -27,4 +27,14 @@ public interface IOrganizationCiphersQuery
     /// </summary>
     /// <exception cref="FeatureUnavailableException"></exception>
     Task<IEnumerable<CipherOrganizationDetails>> GetUnassignedOrganizationCiphers(Guid organizationId);
+
+    /// <summary>
+    /// Returns ciphers belonging to the organization that are in the specified collections.
+    /// </summary>
+    /// <remarks>
+    /// Note that the <see cref="CipherOrganizationDetailsWithCollections.CollectionIds"/> will include all collections
+    /// the cipher belongs to even if it is not in the <paramref name="collectionIds"/> parameter.
+    /// </remarks>
+    public Task<IEnumerable<CipherOrganizationDetailsWithCollections>> GetOrganizationCiphersByCollectionIds(
+        Guid organizationId, IEnumerable<Guid> collectionIds);
 }

src/Core/Vault/Queries/OrganizationCiphersQuery.cs

@@ -52,4 +52,13 @@ public class OrganizationCiphersQuery : IOrganizationCiphersQuery
     {
         return await _cipherRepository.GetManyUnassignedOrganizationDetailsByOrganizationIdAsync(organizationId);
     }
+
+    /// <inheritdoc />
+    public async Task<IEnumerable<CipherOrganizationDetailsWithCollections>> GetOrganizationCiphersByCollectionIds(
+        Guid organizationId, IEnumerable<Guid> collectionIds)
+    {
+        var managedCollectionIds = collectionIds.ToHashSet();
+        var allOrganizationCiphers = await GetAllOrganizationCiphers(organizationId);
+        return allOrganizationCiphers.Where(c => c.CollectionIds.Intersect(managedCollectionIds).Any());
+    }
 }

test/Api.Test/Tools/Authorization/VaultExportAuthorizationHandlerTests.cs

@@ -0,0 +1,95 @@
+using System.Security.Claims;
+using Bit.Api.Tools.Authorization;
+using Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data;
+using Bit.Core.Test.AdminConsole.Helpers;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using Microsoft.AspNetCore.Authorization;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Api.Test.Tools.Authorization;
+
+[SutProviderCustomize]
+public class VaultExportAuthorizationHandlerTests
+{
+    public static IEnumerable<object[]> CanExportWholeVault => new List<CurrentContextOrganization>
+    {
+        new () { Type = OrganizationUserType.Owner },
+        new () { Type = OrganizationUserType.Admin },
+        new ()
+        {
+            Type = OrganizationUserType.Custom, Permissions = new Permissions { AccessImportExport = true }
+        }
+    }.Select(org => new[] { org });
+
+    [Theory]
+    [BitMemberAutoData(nameof(CanExportWholeVault))]
+    public async Task ExportAll_PermittedRoles_Success(CurrentContextOrganization org, OrganizationScope orgScope, ClaimsPrincipal user,
+        SutProvider<VaultExportAuthorizationHandler> sutProvider)
+    {
+        org.Id = orgScope;
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(orgScope).Returns(org);
+
+        var authContext = new AuthorizationHandlerContext(new[] { VaultExportOperations.ExportWholeVault }, user, orgScope);
+        await sutProvider.Sut.HandleAsync(authContext);
+
+        Assert.True(authContext.HasSucceeded);
+    }
+
+    public static IEnumerable<object[]> CannotExportWholeVault => new List<CurrentContextOrganization>
+    {
+        new () { Type = OrganizationUserType.User },
+        new ()
+        {
+            Type = OrganizationUserType.Custom, Permissions = new Permissions { AccessImportExport = true }.Invert()
+        }
+    }.Select(org => new[] { org });
+
+    [Theory]
+    [BitMemberAutoData(nameof(CannotExportWholeVault))]
+    public async Task ExportAll_NotPermitted_Failure(CurrentContextOrganization org, OrganizationScope orgScope, ClaimsPrincipal user,
+        SutProvider<VaultExportAuthorizationHandler> sutProvider)
+    {
+        org.Id = orgScope;
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(orgScope).Returns(org);
+
+        var authContext = new AuthorizationHandlerContext(new[] { VaultExportOperations.ExportWholeVault }, user, orgScope);
+        await sutProvider.Sut.HandleAsync(authContext);
+
+        Assert.False(authContext.HasSucceeded);
+    }
+
+    public static IEnumerable<object[]> CanExportManagedCollections =>
+        AuthorizationHelpers.AllRoles().Select(o => new[] { o });
+
+    [Theory]
+    [BitMemberAutoData(nameof(CanExportManagedCollections))]
+    public async Task ExportManagedCollections_PermittedRoles_Success(CurrentContextOrganization org, OrganizationScope orgScope, ClaimsPrincipal user,
+        SutProvider<VaultExportAuthorizationHandler> sutProvider)
+    {
+        org.Id = orgScope;
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(orgScope).Returns(org);
+
+        var authContext = new AuthorizationHandlerContext(new[] { VaultExportOperations.ExportManagedCollections }, user, orgScope);
+        await sutProvider.Sut.HandleAsync(authContext);
+
+        Assert.True(authContext.HasSucceeded);
+    }
+
+    [Theory]
+    [BitAutoData([null])]
+    public async Task ExportManagedCollections_NotPermitted_Failure(CurrentContextOrganization org, OrganizationScope orgScope, ClaimsPrincipal user,
+        SutProvider<VaultExportAuthorizationHandler> sutProvider)
+    {
+        sutProvider.GetDependency<ICurrentContext>().GetOrganization(orgScope).Returns(org);
+
+        var authContext = new AuthorizationHandlerContext(new[] { VaultExportOperations.ExportManagedCollections }, user, orgScope);
+        await sutProvider.Sut.HandleAsync(authContext);
+
+        Assert.False(authContext.HasSucceeded);
+    }
+}

test/Core.Test/AdminConsole/Helpers/AuthorizationHelpers.cs

@@ -0,0 +1,52 @@
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Models.Data;
+
+namespace Bit.Core.Test.AdminConsole.Helpers;
+
+public static class AuthorizationHelpers
+{
+    /// <summary>
+    /// Return a new Permission object with inverted permissions.
+    /// This is useful to test negative cases, e.g. "all other permissions should fail".
+    /// </summary>
+    /// <param name="permissions"></param>
+    /// <returns></returns>
+    public static Permissions Invert(this Permissions permissions)
+    {
+        // Get all false boolean properties of input object
+        var inputsToFlip = permissions
+            .GetType()
+            .GetProperties()
+            .Where(p =>
+                p.PropertyType == typeof(bool) &&
+                (bool)p.GetValue(permissions, null)! == false)
+            .Select(p => p.Name);
+
+        var result = new Permissions();
+
+        // Set these to true on the result object
+        result
+            .GetType()
+            .GetProperties()
+            .Where(p => inputsToFlip.Contains(p.Name))
+            .ToList()
+            .ForEach(p => p.SetValue(result, true));
+
+        return result;
+    }
+
+    /// <summary>
+    /// Returns a sequence of all possible roles and permissions represented as CurrentContextOrganization objects.
+    /// Used largely for authorization testing.
+    /// </summary>
+    /// <returns></returns>
+    public static IEnumerable<CurrentContextOrganization> AllRoles() => new List<CurrentContextOrganization>
+    {
+        new () { Type = OrganizationUserType.Owner },
+        new () { Type = OrganizationUserType.Admin },
+        new () { Type = OrganizationUserType.Custom, Permissions = new Permissions() },
+        new () { Type = OrganizationUserType.Custom, Permissions = new Permissions().Invert() },
+        new () { Type = OrganizationUserType.User },
+    };
+}

test/Core.Test/AdminConsole/Helpers/AuthorizationHelpersTests.cs

@@ -0,0 +1,38 @@
+using Bit.Core.Models.Data;
+using Xunit;
+
+namespace Bit.Core.Test.AdminConsole.Helpers;
+
+public class AuthorizationHelpersTests
+{
+    [Fact]
+    public void Permissions_Invert_InvertsAllPermissions()
+    {
+        var sut = new Permissions
+        {
+            AccessEventLogs = true,
+            AccessReports = true,
+            DeleteAnyCollection = true,
+            ManagePolicies = true,
+            ManageScim = true
+        };
+
+        var result = sut.Invert();
+
+        Assert.True(result is
+        {
+            AccessEventLogs: false,
+            AccessImportExport: true,
+            AccessReports: false,
+            CreateNewCollections: true,
+            EditAnyCollection: true,
+            DeleteAnyCollection: false,
+            ManageGroups: true,
+            ManagePolicies: false,
+            ManageSso: true,
+            ManageUsers: true,
+            ManageResetPassword: true,
+            ManageScim: false
+        });
+    }
+}

test/Core.Test/Vault/Queries/OrganizationCiphersQueryTests.cs

@@ -0,0 +1,92 @@
+using AutoFixture;
+using Bit.Core.Entities;
+using Bit.Core.Repositories;
+using Bit.Core.Vault.Models.Data;
+using Bit.Core.Vault.Queries;
+using Bit.Core.Vault.Repositories;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.Vault.Queries;
+
+[SutProviderCustomize]
+public class OrganizationCiphersQueryTests
+{
+    [Theory, BitAutoData]
+    public async Task GetOrganizationCiphersInCollections_ReturnsFilteredCiphers(
+        Guid organizationId, SutProvider<OrganizationCiphersQuery> sutProvider)
+    {
+        var fixture = new Fixture();
+
+        var otherCollectionId = Guid.NewGuid();
+        var targetCollectionId = Guid.NewGuid();
+
+        var otherCipher = fixture.Create<CipherOrganizationDetails>();
+        var targetCipher = fixture.Create<CipherOrganizationDetails>();
+        var bothCipher = fixture.Create<CipherOrganizationDetails>();
+        var noCipher = fixture.Create<CipherOrganizationDetails>();
+
+        var ciphers = new List<CipherOrganizationDetails>
+        {
+            otherCipher,    // not in the target collection
+            targetCipher,   // in the target collection
+            bothCipher,     // in both collections
+            noCipher        // not in any collection
+        };
+        ciphers.ForEach(c =>
+        {
+            c.OrganizationId = organizationId;
+            c.UserId = null;
+        });
+
+        var otherCollectionCipher = new CollectionCipher
+        {
+            CollectionId = otherCollectionId,
+            CipherId = otherCipher.Id
+        };
+        var targetCollectionCipher = new CollectionCipher
+        {
+            CollectionId = targetCollectionId,
+            CipherId = targetCipher.Id
+        };
+        var bothCollectionCipher1 = new CollectionCipher
+        {
+            CollectionId = targetCollectionId,
+            CipherId = bothCipher.Id
+        };
+        var bothCollectionCipher2 = new CollectionCipher
+        {
+            CollectionId = otherCollectionId,
+            CipherId = bothCipher.Id
+        };
+
+        sutProvider.GetDependency<ICipherRepository>().GetManyOrganizationDetailsByOrganizationIdAsync(organizationId)
+            .Returns(ciphers);
+
+        sutProvider.GetDependency<ICollectionCipherRepository>().GetManyByOrganizationIdAsync(organizationId).Returns(
+        [
+            targetCollectionCipher,
+            otherCollectionCipher,
+            bothCollectionCipher1,
+            bothCollectionCipher2
+        ]);
+
+        var result = await sutProvider
+            .Sut
+            .GetOrganizationCiphersByCollectionIds(organizationId, [targetCollectionId]);
+        result = result.ToList();
+
+        Assert.Equal(2, result.Count());
+        Assert.Contains(result, c =>
+            c.Id == targetCipher.Id &&
+            c.CollectionIds.Count() == 1 &&
+            c.CollectionIds.Any(cId => cId == targetCollectionId));
+        Assert.Contains(result, c =>
+            c.Id == bothCipher.Id &&
+            c.CollectionIds.Count() == 2 &&
+            c.CollectionIds.Any(cId => cId == targetCollectionId) &&
+            c.CollectionIds.Any(cId => cId == otherCollectionId));
+    }
+}