nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-04-05 05:00:19 -05:00
Code

[SM-577] - ACCESS POLICY fixing issue with user being able to update a secret if they are assi… (#2763)

Browse Source 
* fixing issue with user being able to update a secret if they are assigning it to a project that has read/write permissions. Even though the customer is only allowed to read.

* Add additional check for newly assigned project access and original project access.

* fixing Lint issue

* Fixing tests

* uneeded param removed

* Updating to extract logic into function

* renaming function

* lint fixes

* renaming function
This commit is contained in:
cd-bitwarden 2023-03-07 13:22:03 -05:00 committed by GitHub
parent 48ae4a2e92
commit 7334de636b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 19 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
bitwarden_license/src/Commercial.Core/SecretsManager/Commands/Secrets/UpdateSecretCommand.cs
View File

@ -31,21 +31,7 @@ public class UpdateSecretCommand : IUpdateSecretCommand
var orgAdmin = await _currentContext.OrganizationAdmin(secret.OrganizationId);
var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
var project = updatedSecret.Projects?.FirstOrDefault();
if (secret.Projects != null && secret.Projects.Any() && project == null)
{
throw new NotFoundException();
}
var hasAccess = accessClient switch
{
AccessClientType.NoAccessCheck => true,
AccessClientType.User => project != null && await _projectRepository.UserHasWriteAccessToProject(project.Id, userId),
_ => false,
};
if (!hasAccess)
if (!await HasAccessToOriginalAndUpdatedProject(accessClient, secret, updatedSecret, userId))
{
throw new NotFoundException();
}
@ -59,4 +45,21 @@ public class UpdateSecretCommand : IUpdateSecretCommand
await _secretRepository.UpdateAsync(secret);
return secret;
}
public async Task<bool> HasAccessToOriginalAndUpdatedProject(AccessClientType accessClient, Secret secret, Secret updatedSecret, Guid userId)
{
switch (accessClient)
{
case AccessClientType.NoAccessCheck:
return true;
case AccessClientType.User:
var oldProject = secret.Projects?.FirstOrDefault();
var newProject = updatedSecret.Projects?.FirstOrDefault();
var accessToOld = oldProject != null && await _projectRepository.UserHasWriteAccessToProject(oldProject.Id, userId);
var accessToNew = newProject != null && await _projectRepository.UserHasWriteAccessToProject(newProject.Id, userId);
return accessToOld && accessToNew;
default:
return false;
}
}
}

2
bitwarden_license/test/Commercial.Core.Test/SecretsManager/Secrets/UpdateSecretCommandTests.cs
View File

@ -34,6 +34,7 @@ public class UpdateSecretCommandTests
public async Task UpdateAsync_Success(PermissionType permissionType, Secret data, SutProvider<UpdateSecretCommand> sutProvider, Guid userId, Project mockProject)
{
sutProvider.GetDependency<ICurrentContext>().AccessSecretsManager(data.OrganizationId).Returns(true);
data.Projects = new List<Project>() { mockProject };
if (permissionType == PermissionType.RunAsAdmin)
{
@ -41,7 +42,6 @@ public class UpdateSecretCommandTests
}
else
{
data.Projects = new List<Project>() { mockProject };
sutProvider.GetDependency<ICurrentContext>().OrganizationAdmin(data.OrganizationId).Returns(false);
sutProvider.GetDependency<IProjectRepository>().UserHasWriteAccessToProject((Guid)(data.Projects?.First().Id), userId).Returns(true);
}