mirror of
https://github.com/bitwarden/server.git
synced 2025-06-30 07:36:14 -05:00
[AC-1809] Update OrganizationAbility with Collection Management Settings (#3571)
* feat: Update OrganizationAbility with LimitCollectionCreationDeletion, refs AC-1809 * feat: Update OrganizationAbility constructor usage to pass feature flag state, refs AC-1809 * feat: Update EF retrieval of org abilities to include new property from database, refs AC-1809 * feat: Update sproc to include LimitCollectionCreationDeletion property and create migration, refs AC-1809 * feat: Inject ApplicationCache into handler accessing LimitCollectionCreationDeletion, refs AC-1809 * feat: remove collection management settings from CurrentContextOrganization and update tests, refs AC-1809 * feat: add AllowAdminAccessToAllCollectionItems to OrganizationAbility pipeline, refs AC-1809 --------- Co-authored-by: Thomas Rittson <trittson@bitwarden.com> Co-authored-by: Thomas Rittson <31796059+eliykat@users.noreply.github.com>
This commit is contained in:
Vincent Salucci
@ -4,6 +4,7 @@ using Bit.Core.Context;
|
||||
using Bit.Core.Entities;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.Models.Data.Organizations;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.Services;
|
||||
using Bit.Core.Utilities;
|
||||
@ -20,6 +21,7 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
|
||||
private readonly ICurrentContext _currentContext;
|
||||
private readonly ICollectionRepository _collectionRepository;
|
||||
private readonly IFeatureService _featureService;
|
||||
private readonly IApplicationCacheService _applicationCacheService;
|
||||
private Guid _targetOrganizationId;
|
||||
|
||||
private bool FlexibleCollectionsIsEnabled => _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
|
||||
@ -27,11 +29,13 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
|
||||
public BulkCollectionAuthorizationHandler(
|
||||
ICurrentContext currentContext,
|
||||
ICollectionRepository collectionRepository,
|
||||
IFeatureService featureService)
|
||||
IFeatureService featureService,
|
||||
IApplicationCacheService applicationCacheService)
|
||||
{
|
||||
_currentContext = currentContext;
|
||||
_collectionRepository = collectionRepository;
|
||||
_featureService = featureService;
|
||||
_applicationCacheService = applicationCacheService;
|
||||
}
|
||||
|
||||
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
|
||||
@ -84,7 +88,7 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
|
||||
|
||||
case not null when requirement == BulkCollectionOperations.Update:
|
||||
case not null when requirement == BulkCollectionOperations.ModifyAccess:
|
||||
await CanUpdateCollection(context, requirement, resources, org);
|
||||
await CanUpdateCollectionAsync(context, requirement, resources, org);
|
||||
break;
|
||||
|
||||
case not null when requirement == BulkCollectionOperations.Delete:
|
||||
@ -96,10 +100,8 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
|
||||
private async Task CanCreateAsync(AuthorizationHandlerContext context, IAuthorizationRequirement requirement,
|
||||
CurrentContextOrganization? org)
|
||||
{
|
||||
// If the limit collection management setting is disabled, allow any user to create collections
|
||||
// Otherwise, Owners, Admins, and users with CreateNewCollections permission can always create collections
|
||||
// Owners, Admins, and users with CreateNewCollections permission can always create collections
|
||||
if (org is
|
||||
{ LimitCollectionCreationDeletion: false } or
|
||||
{ Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
|
||||
{ Permissions.CreateNewCollections: true })
|
||||
{
|
||||
@ -107,6 +109,13 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
|
||||
return;
|
||||
}
|
||||
|
||||
// If the limit collection management setting is disabled, allow any user to create collections
|
||||
if (await GetOrganizationAbilityAsync(org) is { LimitCollectionCreationDeletion: false })
|
||||
{
|
||||
context.Succeed(requirement);
|
||||
return;
|
||||
}
|
||||
|
||||
// Allow provider users to create collections if they are a provider for the target organization
|
||||
if (await _currentContext.ProviderUserForOrgAsync(_targetOrganizationId))
|
||||
{
|
||||
@ -182,7 +191,7 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
|
||||
/// <summary>
|
||||
/// Ensures the acting user is allowed to update the target collections or manage access permissions for them.
|
||||
/// </summary>
|
||||
private async Task CanUpdateCollection(AuthorizationHandlerContext context,
|
||||
private async Task CanUpdateCollectionAsync(AuthorizationHandlerContext context,
|
||||
IAuthorizationRequirement requirement, ICollection<Collection> resources,
|
||||
CurrentContextOrganization? org)
|
||||
{
|
||||
@ -226,9 +235,10 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
|
||||
return;
|
||||
}
|
||||
|
||||
// Check for non-null org here: the user must be apart of the organization for this setting to take affect
|
||||
// The limit collection management setting is disabled,
|
||||
// ensure acting user has manage permissions for all collections being deleted
|
||||
if (org is { LimitCollectionCreationDeletion: false })
|
||||
if (await GetOrganizationAbilityAsync(org) is { LimitCollectionCreationDeletion: false })
|
||||
{
|
||||
var canManageCollections = await CanManageCollectionsAsync(resources, org);
|
||||
if (canManageCollections)
|
||||
@ -261,4 +271,19 @@ public class BulkCollectionAuthorizationHandler : BulkAuthorizationHandler<BulkC
|
||||
// Check if the acting user has access to all target collections
|
||||
return targetCollections.All(tc => assignedCollectionIds.Contains(tc.Id));
|
||||
}
|
||||
|
||||
private async Task<OrganizationAbility?> GetOrganizationAbilityAsync(CurrentContextOrganization? organization)
|
||||
{
|
||||
// If the CurrentContextOrganization is null, then the user isn't a member of the org so the setting is
|
||||
// irrelevant
|
||||
if (organization == null)
|
||||
{
|
||||
return null;
|
||||
}
|
||||
|
||||
(await _applicationCacheService.GetOrganizationAbilitiesAsync())
|
||||
.TryGetValue(organization.Id, out var organizationAbility);
|
||||
|
||||
return organizationAbility;
|
||||
}
|
||||
}
|
||||
|
||||
@ -3,6 +3,7 @@ using Bit.Core;
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.Models.Data.Organizations;
|
||||
using Bit.Core.Services;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
|
||||
@ -16,15 +17,18 @@ public class GroupAuthorizationHandler : AuthorizationHandler<GroupOperationRequ
|
||||
{
|
||||
private readonly ICurrentContext _currentContext;
|
||||
private readonly IFeatureService _featureService;
|
||||
private readonly IApplicationCacheService _applicationCacheService;
|
||||
|
||||
private bool FlexibleCollectionsIsEnabled => _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
|
||||
|
||||
public GroupAuthorizationHandler(
|
||||
ICurrentContext currentContext,
|
||||
IFeatureService featureService)
|
||||
IFeatureService featureService,
|
||||
IApplicationCacheService applicationCacheService)
|
||||
{
|
||||
_currentContext = currentContext;
|
||||
_featureService = featureService;
|
||||
_applicationCacheService = applicationCacheService;
|
||||
}
|
||||
|
||||
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
|
||||
@ -62,10 +66,8 @@ public class GroupAuthorizationHandler : AuthorizationHandler<GroupOperationRequ
|
||||
private async Task CanReadAllAsync(AuthorizationHandlerContext context, GroupOperationRequirement requirement,
|
||||
CurrentContextOrganization? org)
|
||||
{
|
||||
// If the limit collection management setting is disabled, allow any user to read all groups
|
||||
// Otherwise, Owners, Admins, and users with any of ManageGroups, ManageUsers, EditAnyCollection, DeleteAnyCollection, CreateNewCollections permissions can always read all groups
|
||||
// Owners, Admins, and users with any of ManageGroups, ManageUsers, EditAnyCollection, DeleteAnyCollection, CreateNewCollections permissions can always read all groups
|
||||
if (org is
|
||||
{ LimitCollectionCreationDeletion: false } or
|
||||
{ Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
|
||||
{ Permissions.ManageGroups: true } or
|
||||
{ Permissions.ManageUsers: true } or
|
||||
@ -77,10 +79,33 @@ public class GroupAuthorizationHandler : AuthorizationHandler<GroupOperationRequ
|
||||
return;
|
||||
}
|
||||
|
||||
// Check for non-null org here: the user must be apart of the organization for this setting to take affect
|
||||
// If the limit collection management setting is disabled, allow any user to read all groups
|
||||
if (await GetOrganizationAbilityAsync(org) is { LimitCollectionCreationDeletion: false })
|
||||
{
|
||||
context.Succeed(requirement);
|
||||
return;
|
||||
}
|
||||
|
||||
// Allow provider users to read all groups if they are a provider for the target organization
|
||||
if (await _currentContext.ProviderUserForOrgAsync(requirement.OrganizationId))
|
||||
{
|
||||
context.Succeed(requirement);
|
||||
}
|
||||
}
|
||||
|
||||
private async Task<OrganizationAbility?> GetOrganizationAbilityAsync(CurrentContextOrganization? organization)
|
||||
{
|
||||
// If the CurrentContextOrganization is null, then the user isn't a member of the org so the setting is
|
||||
// irrelevant
|
||||
if (organization == null)
|
||||
{
|
||||
return null;
|
||||
}
|
||||
|
||||
(await _applicationCacheService.GetOrganizationAbilitiesAsync())
|
||||
.TryGetValue(organization.Id, out var organizationAbility);
|
||||
|
||||
return organizationAbility;
|
||||
}
|
||||
}
|
||||
|
||||
@ -3,6 +3,7 @@ using Bit.Core;
|
||||
using Bit.Core.Context;
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.Exceptions;
|
||||
using Bit.Core.Models.Data.Organizations;
|
||||
using Bit.Core.Services;
|
||||
using Microsoft.AspNetCore.Authorization;
|
||||
|
||||
@ -16,15 +17,18 @@ public class OrganizationUserAuthorizationHandler : AuthorizationHandler<Organiz
|
||||
{
|
||||
private readonly ICurrentContext _currentContext;
|
||||
private readonly IFeatureService _featureService;
|
||||
private readonly IApplicationCacheService _applicationCacheService;
|
||||
|
||||
private bool FlexibleCollectionsIsEnabled => _featureService.IsEnabled(FeatureFlagKeys.FlexibleCollections, _currentContext);
|
||||
|
||||
public OrganizationUserAuthorizationHandler(
|
||||
ICurrentContext currentContext,
|
||||
IFeatureService featureService)
|
||||
IFeatureService featureService,
|
||||
IApplicationCacheService applicationCacheService)
|
||||
{
|
||||
_currentContext = currentContext;
|
||||
_featureService = featureService;
|
||||
_applicationCacheService = applicationCacheService;
|
||||
}
|
||||
|
||||
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
|
||||
@ -64,7 +68,6 @@ public class OrganizationUserAuthorizationHandler : AuthorizationHandler<Organiz
|
||||
// If the limit collection management setting is disabled, allow any user to read all organization users
|
||||
// Otherwise, Owners, Admins, and users with any of ManageGroups, ManageUsers, EditAnyCollection, DeleteAnyCollection, CreateNewCollections permissions can always read all organization users
|
||||
if (org is
|
||||
{ LimitCollectionCreationDeletion: false } or
|
||||
{ Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
|
||||
{ Permissions.ManageGroups: true } or
|
||||
{ Permissions.ManageUsers: true } or
|
||||
@ -76,10 +79,33 @@ public class OrganizationUserAuthorizationHandler : AuthorizationHandler<Organiz
|
||||
return;
|
||||
}
|
||||
|
||||
// Check for non-null org here: the user must be apart of the organization for this setting to take affect
|
||||
// If the limit collection management setting is disabled, allow any user to read all organization users
|
||||
if (await GetOrganizationAbilityAsync(org) is { LimitCollectionCreationDeletion: false })
|
||||
{
|
||||
context.Succeed(requirement);
|
||||
return;
|
||||
}
|
||||
|
||||
// Allow provider users to read all organization users if they are a provider for the target organization
|
||||
if (await _currentContext.ProviderUserForOrgAsync(requirement.OrganizationId))
|
||||
{
|
||||
context.Succeed(requirement);
|
||||
}
|
||||
}
|
||||
|
||||
private async Task<OrganizationAbility?> GetOrganizationAbilityAsync(CurrentContextOrganization? organization)
|
||||
{
|
||||
// If the CurrentContextOrganization is null, then the user isn't a member of the org so the setting is
|
||||
// irrelevant
|
||||
if (organization == null)
|
||||
{
|
||||
return null;
|
||||
}
|
||||
|
||||
(await _applicationCacheService.GetOrganizationAbilitiesAsync())
|
||||
.TryGetValue(organization.Id, out var organizationAbility);
|
||||
|
||||
return organizationAbility;
|
||||
}
|
||||
}
|
||||
|
||||
@ -15,14 +15,10 @@ public class CurrentContextOrganization
|
||||
Type = orgUser.Type;
|
||||
Permissions = CoreHelpers.LoadClassFromJsonData<Permissions>(orgUser.Permissions);
|
||||
AccessSecretsManager = orgUser.AccessSecretsManager && orgUser.UseSecretsManager && orgUser.Enabled;
|
||||
LimitCollectionCreationDeletion = orgUser.LimitCollectionCreationDeletion;
|
||||
AllowAdminAccessToAllCollectionItems = orgUser.AllowAdminAccessToAllCollectionItems;
|
||||
}
|
||||
|
||||
public Guid Id { get; set; }
|
||||
public OrganizationUserType Type { get; set; }
|
||||
public Permissions Permissions { get; set; } = new();
|
||||
public bool AccessSecretsManager { get; set; }
|
||||
public bool LimitCollectionCreationDeletion { get; set; }
|
||||
public bool AllowAdminAccessToAllCollectionItems { get; set; }
|
||||
}
|
||||
|
||||
@ -21,6 +21,8 @@ public class OrganizationAbility
|
||||
UseResetPassword = organization.UseResetPassword;
|
||||
UseCustomPermissions = organization.UseCustomPermissions;
|
||||
UsePolicies = organization.UsePolicies;
|
||||
LimitCollectionCreationDeletion = organization.LimitCollectionCreationDeletion;
|
||||
AllowAdminAccessToAllCollectionItems = organization.AllowAdminAccessToAllCollectionItems;
|
||||
}
|
||||
|
||||
public Guid Id { get; set; }
|
||||
@ -35,4 +37,6 @@ public class OrganizationAbility
|
||||
public bool UseResetPassword { get; set; }
|
||||
public bool UseCustomPermissions { get; set; }
|
||||
public bool UsePolicies { get; set; }
|
||||
public bool LimitCollectionCreationDeletion { get; set; }
|
||||
public bool AllowAdminAccessToAllCollectionItems { get; set; }
|
||||
}
|
||||
|
||||
@ -54,7 +54,7 @@ public class CurrentContext : ICurrentContext
|
||||
{
|
||||
_providerOrganizationRepository = providerOrganizationRepository;
|
||||
_providerUserRepository = providerUserRepository;
|
||||
_featureService = featureService;
|
||||
_featureService = featureService; ;
|
||||
}
|
||||
|
||||
public async virtual Task BuildAsync(HttpContext httpContext, GlobalSettings globalSettings)
|
||||
@ -383,15 +383,10 @@ public class CurrentContext : ICurrentContext
|
||||
throw new FeatureUnavailableException("Flexible Collections is ON when it should be OFF.");
|
||||
}
|
||||
|
||||
var canCreateNewCollections = false;
|
||||
var org = GetOrganization(orgId);
|
||||
if (org != null)
|
||||
{
|
||||
canCreateNewCollections = !org.LimitCollectionCreationDeletion || org.Permissions.CreateNewCollections;
|
||||
}
|
||||
return await EditAssignedCollections(orgId)
|
||||
|| await DeleteAssignedCollections(orgId)
|
||||
|| canCreateNewCollections;
|
||||
|| (org != null && org.Permissions.CreateNewCollections);
|
||||
}
|
||||
|
||||
public async Task<bool> ManageGroups(Guid orgId)
|
||||
|
||||
@ -88,7 +88,9 @@ public class OrganizationRepository : Repository<Core.AdminConsole.Entities.Orga
|
||||
UseResetPassword = e.UseResetPassword,
|
||||
UseScim = e.UseScim,
|
||||
UseCustomPermissions = e.UseCustomPermissions,
|
||||
UsePolicies = e.UsePolicies
|
||||
UsePolicies = e.UsePolicies,
|
||||
LimitCollectionCreationDeletion = e.LimitCollectionCreationDeletion,
|
||||
AllowAdminAccessToAllCollectionItems = e.AllowAdminAccessToAllCollectionItems
|
||||
}).ToListAsync();
|
||||
}
|
||||
}
|
||||
|
||||
@ -20,7 +20,9 @@ BEGIN
|
||||
[UseScim],
|
||||
[UseResetPassword],
|
||||
[UsePolicies],
|
||||
[Enabled]
|
||||
[Enabled],
|
||||
[LimitCollectionCreationDeletion],
|
||||
[AllowAdminAccessToAllCollectionItems]
|
||||
FROM
|
||||
[dbo].[Organization]
|
||||
END
|
||||
|
||||
Reference in New Issue
Block a user