mirror of
https://github.com/bitwarden/server.git
synced 2025-07-01 08:02:49 -05:00
[SM-923] Add project service accounts access policies management endpoints (#3993)
* Add new models * Update repositories * Add new authz handler * Add new query * Add new command * Add authz, command, and query to DI * Add new endpoint to controller * Add query unit tests * Add api unit tests * Add api integration tests
This commit is contained in:
Thomas Avery
@ -29,8 +29,10 @@ public class AccessPoliciesController : Controller
|
||||
private readonly IServiceAccountRepository _serviceAccountRepository;
|
||||
private readonly IUpdateAccessPolicyCommand _updateAccessPolicyCommand;
|
||||
private readonly IUpdateServiceAccountGrantedPoliciesCommand _updateServiceAccountGrantedPoliciesCommand;
|
||||
private readonly IUpdateProjectServiceAccountsAccessPoliciesCommand _updateProjectServiceAccountsAccessPoliciesCommand;
|
||||
private readonly IAccessClientQuery _accessClientQuery;
|
||||
private readonly IServiceAccountGrantedPolicyUpdatesQuery _serviceAccountGrantedPolicyUpdatesQuery;
|
||||
private readonly IProjectServiceAccountsAccessPoliciesUpdatesQuery _projectServiceAccountsAccessPoliciesUpdatesQuery;
|
||||
private readonly IUserService _userService;
|
||||
private readonly IAuthorizationService _authorizationService;
|
||||
|
||||
@ -43,9 +45,11 @@ public class AccessPoliciesController : Controller
|
||||
IProjectRepository projectRepository,
|
||||
IAccessClientQuery accessClientQuery,
|
||||
IServiceAccountGrantedPolicyUpdatesQuery serviceAccountGrantedPolicyUpdatesQuery,
|
||||
IProjectServiceAccountsAccessPoliciesUpdatesQuery projectServiceAccountsAccessPoliciesUpdatesQuery,
|
||||
IUpdateServiceAccountGrantedPoliciesCommand updateServiceAccountGrantedPoliciesCommand,
|
||||
ICreateAccessPoliciesCommand createAccessPoliciesCommand,
|
||||
IDeleteAccessPolicyCommand deleteAccessPolicyCommand,
|
||||
IUpdateProjectServiceAccountsAccessPoliciesCommand updateProjectServiceAccountsAccessPoliciesCommand,
|
||||
IUpdateAccessPolicyCommand updateAccessPolicyCommand)
|
||||
{
|
||||
_authorizationService = authorizationService;
|
||||
@ -60,6 +64,8 @@ public class AccessPoliciesController : Controller
|
||||
_updateServiceAccountGrantedPoliciesCommand = updateServiceAccountGrantedPoliciesCommand;
|
||||
_accessClientQuery = accessClientQuery;
|
||||
_serviceAccountGrantedPolicyUpdatesQuery = serviceAccountGrantedPolicyUpdatesQuery;
|
||||
_projectServiceAccountsAccessPoliciesUpdatesQuery = projectServiceAccountsAccessPoliciesUpdatesQuery;
|
||||
_updateProjectServiceAccountsAccessPoliciesCommand = updateProjectServiceAccountsAccessPoliciesCommand;
|
||||
}
|
||||
|
||||
[HttpPost("/projects/{id}/access-policies")]
|
||||
@ -296,6 +302,41 @@ public class AccessPoliciesController : Controller
|
||||
return await GetServiceAccountGrantedPoliciesAsync(serviceAccount);
|
||||
}
|
||||
|
||||
[HttpGet("/projects/{id}/access-policies/service-accounts")]
|
||||
public async Task<ProjectServiceAccountsAccessPoliciesResponseModel>
|
||||
GetProjectServiceAccountsAccessPoliciesAsync(
|
||||
[FromRoute] Guid id)
|
||||
{
|
||||
var project = await _projectRepository.GetByIdAsync(id);
|
||||
await CheckUserHasWriteAccessToProjectAsync(project);
|
||||
var results =
|
||||
await _accessPolicyRepository.GetProjectServiceAccountsAccessPoliciesAsync(id);
|
||||
return new ProjectServiceAccountsAccessPoliciesResponseModel(results);
|
||||
}
|
||||
|
||||
[HttpPut("/projects/{id}/access-policies/service-accounts")]
|
||||
public async Task<ProjectServiceAccountsAccessPoliciesResponseModel>
|
||||
PutProjectServiceAccountsAccessPoliciesAsync([FromRoute] Guid id,
|
||||
[FromBody] ProjectServiceAccountsAccessPoliciesRequestModel request)
|
||||
{
|
||||
var project = await _projectRepository.GetByIdAsync(id) ?? throw new NotFoundException();
|
||||
var accessPoliciesUpdates =
|
||||
await _projectServiceAccountsAccessPoliciesUpdatesQuery.GetAsync(
|
||||
request.ToProjectServiceAccountsAccessPolicies(project));
|
||||
|
||||
var authorizationResult = await _authorizationService.AuthorizeAsync(User, accessPoliciesUpdates,
|
||||
ProjectServiceAccountsAccessPoliciesOperations.Updates);
|
||||
if (!authorizationResult.Succeeded)
|
||||
{
|
||||
throw new NotFoundException();
|
||||
}
|
||||
|
||||
await _updateProjectServiceAccountsAccessPoliciesCommand.UpdateAsync(accessPoliciesUpdates);
|
||||
|
||||
var results = await _accessPolicyRepository.GetProjectServiceAccountsAccessPoliciesAsync(id);
|
||||
return new ProjectServiceAccountsAccessPoliciesResponseModel(results);
|
||||
}
|
||||
|
||||
private async Task<(AccessClientType AccessClientType, Guid UserId)> CheckUserHasWriteAccessToProjectAsync(Project project)
|
||||
{
|
||||
if (project == null)
|
||||
|
||||
@ -0,0 +1,28 @@
|
||||
#nullable enable
|
||||
using Bit.Api.SecretsManager.Utilities;
|
||||
using Bit.Core.SecretsManager.Entities;
|
||||
using Bit.Core.SecretsManager.Models.Data;
|
||||
|
||||
namespace Bit.Api.SecretsManager.Models.Request;
|
||||
|
||||
public class ProjectServiceAccountsAccessPoliciesRequestModel
|
||||
{
|
||||
public required IEnumerable<AccessPolicyRequest> ServiceAccountAccessPolicyRequests { get; set; }
|
||||
|
||||
public ProjectServiceAccountsAccessPolicies ToProjectServiceAccountsAccessPolicies(Project project)
|
||||
{
|
||||
var serviceAccountAccessPolicies = ServiceAccountAccessPolicyRequests
|
||||
.Select(x => x.ToServiceAccountProjectAccessPolicy(project.Id, project.OrganizationId))
|
||||
.ToList();
|
||||
|
||||
AccessPolicyHelpers.CheckForDistinctAccessPolicies(serviceAccountAccessPolicies);
|
||||
AccessPolicyHelpers.CheckAccessPoliciesHaveReadPermission(serviceAccountAccessPolicies);
|
||||
|
||||
return new ProjectServiceAccountsAccessPolicies
|
||||
{
|
||||
ProjectId = project.Id,
|
||||
OrganizationId = project.OrganizationId,
|
||||
ServiceAccountAccessPolicies = serviceAccountAccessPolicies
|
||||
};
|
||||
}
|
||||
}
|
||||
@ -0,0 +1,29 @@
|
||||
#nullable enable
|
||||
using Bit.Core.Models.Api;
|
||||
using Bit.Core.SecretsManager.Models.Data;
|
||||
|
||||
namespace Bit.Api.SecretsManager.Models.Response;
|
||||
|
||||
public class ProjectServiceAccountsAccessPoliciesResponseModel : ResponseModel
|
||||
{
|
||||
private const string _objectName = "ProjectServiceAccountsAccessPolicies";
|
||||
|
||||
public ProjectServiceAccountsAccessPoliciesResponseModel(
|
||||
ProjectServiceAccountsAccessPolicies? projectServiceAccountsAccessPolicies)
|
||||
: base(_objectName)
|
||||
{
|
||||
if (projectServiceAccountsAccessPolicies == null)
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
ServiceAccountAccessPolicies = projectServiceAccountsAccessPolicies.ServiceAccountAccessPolicies
|
||||
.Select(x => new ServiceAccountProjectAccessPolicyResponseModel(x)).ToList();
|
||||
}
|
||||
|
||||
public ProjectServiceAccountsAccessPoliciesResponseModel() : base(_objectName)
|
||||
{
|
||||
}
|
||||
|
||||
public List<ServiceAccountProjectAccessPolicyResponseModel> ServiceAccountAccessPolicies { get; set; } = [];
|
||||
}
|
||||
@ -0,0 +1,14 @@
|
||||
#nullable enable
|
||||
using Microsoft.AspNetCore.Authorization.Infrastructure;
|
||||
|
||||
namespace Bit.Core.SecretsManager.AuthorizationRequirements;
|
||||
|
||||
public class ProjectServiceAccountsAccessPoliciesOperationRequirement : OperationAuthorizationRequirement
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
public static class ProjectServiceAccountsAccessPoliciesOperations
|
||||
{
|
||||
public static readonly ProjectServiceAccountsAccessPoliciesOperationRequirement Updates = new() { Name = nameof(Updates) };
|
||||
}
|
||||
@ -0,0 +1,9 @@
|
||||
#nullable enable
|
||||
using Bit.Core.SecretsManager.Models.Data.AccessPolicyUpdates;
|
||||
|
||||
namespace Bit.Core.SecretsManager.Commands.AccessPolicies.Interfaces;
|
||||
|
||||
public interface IUpdateProjectServiceAccountsAccessPoliciesCommand
|
||||
{
|
||||
Task UpdateAsync(ProjectServiceAccountsAccessPoliciesUpdates accessPoliciesUpdates);
|
||||
}
|
||||
@ -0,0 +1,9 @@
|
||||
#nullable enable
|
||||
namespace Bit.Core.SecretsManager.Models.Data.AccessPolicyUpdates;
|
||||
|
||||
public class ProjectServiceAccountsAccessPoliciesUpdates
|
||||
{
|
||||
public Guid ProjectId { get; set; }
|
||||
public Guid OrganizationId { get; set; }
|
||||
public IEnumerable<ServiceAccountProjectAccessPolicyUpdate> ServiceAccountAccessPolicyUpdates { get; set; } = [];
|
||||
}
|
||||
@ -0,0 +1,80 @@
|
||||
#nullable enable
|
||||
using Bit.Core.SecretsManager.Entities;
|
||||
using Bit.Core.SecretsManager.Enums.AccessPolicies;
|
||||
using Bit.Core.SecretsManager.Models.Data.AccessPolicyUpdates;
|
||||
|
||||
namespace Bit.Core.SecretsManager.Models.Data;
|
||||
|
||||
public class ProjectServiceAccountsAccessPolicies
|
||||
{
|
||||
public ProjectServiceAccountsAccessPolicies()
|
||||
{
|
||||
}
|
||||
|
||||
public ProjectServiceAccountsAccessPolicies(Guid projectId,
|
||||
IEnumerable<BaseAccessPolicy> policies)
|
||||
{
|
||||
ProjectId = projectId;
|
||||
ServiceAccountAccessPolicies = policies
|
||||
.OfType<ServiceAccountProjectAccessPolicy>()
|
||||
.ToList();
|
||||
|
||||
var project = ServiceAccountAccessPolicies.FirstOrDefault()?.GrantedProject;
|
||||
if (project != null)
|
||||
{
|
||||
OrganizationId = project.OrganizationId;
|
||||
}
|
||||
}
|
||||
|
||||
public Guid ProjectId { get; set; }
|
||||
public Guid OrganizationId { get; set; }
|
||||
public IEnumerable<ServiceAccountProjectAccessPolicy> ServiceAccountAccessPolicies { get; set; } = [];
|
||||
|
||||
public ProjectServiceAccountsAccessPoliciesUpdates GetPolicyUpdates(ProjectServiceAccountsAccessPolicies requested)
|
||||
{
|
||||
var currentServiceAccountIds = GetServiceAccountIds(ServiceAccountAccessPolicies);
|
||||
var requestedServiceAccountIds = GetServiceAccountIds(requested.ServiceAccountAccessPolicies);
|
||||
|
||||
var serviceAccountIdsToBeDeleted = currentServiceAccountIds.Except(requestedServiceAccountIds).ToList();
|
||||
var serviceAccountIdsToBeCreated = requestedServiceAccountIds.Except(currentServiceAccountIds).ToList();
|
||||
var serviceAccountIdsToBeUpdated = GetServiceAccountIdsToBeUpdated(requested);
|
||||
|
||||
var policiesToBeDeleted =
|
||||
CreatePolicyUpdates(ServiceAccountAccessPolicies, serviceAccountIdsToBeDeleted,
|
||||
AccessPolicyOperation.Delete);
|
||||
var policiesToBeCreated = CreatePolicyUpdates(requested.ServiceAccountAccessPolicies,
|
||||
serviceAccountIdsToBeCreated,
|
||||
AccessPolicyOperation.Create);
|
||||
var policiesToBeUpdated = CreatePolicyUpdates(requested.ServiceAccountAccessPolicies,
|
||||
serviceAccountIdsToBeUpdated,
|
||||
AccessPolicyOperation.Update);
|
||||
|
||||
return new ProjectServiceAccountsAccessPoliciesUpdates
|
||||
{
|
||||
OrganizationId = OrganizationId,
|
||||
ProjectId = ProjectId,
|
||||
ServiceAccountAccessPolicyUpdates =
|
||||
policiesToBeDeleted.Concat(policiesToBeCreated).Concat(policiesToBeUpdated)
|
||||
};
|
||||
}
|
||||
|
||||
private static List<ServiceAccountProjectAccessPolicyUpdate> CreatePolicyUpdates(
|
||||
IEnumerable<ServiceAccountProjectAccessPolicy> policies, List<Guid> serviceAccountIds,
|
||||
AccessPolicyOperation operation) =>
|
||||
policies
|
||||
.Where(ap => serviceAccountIds.Contains(ap.ServiceAccountId!.Value))
|
||||
.Select(ap => new ServiceAccountProjectAccessPolicyUpdate { Operation = operation, AccessPolicy = ap })
|
||||
.ToList();
|
||||
|
||||
private List<Guid> GetServiceAccountIdsToBeUpdated(ProjectServiceAccountsAccessPolicies requested) =>
|
||||
ServiceAccountAccessPolicies
|
||||
.Where(currentAp => requested.ServiceAccountAccessPolicies.Any(requestedAp =>
|
||||
requestedAp.GrantedProjectId == currentAp.GrantedProjectId &&
|
||||
requestedAp.ServiceAccountId == currentAp.ServiceAccountId &&
|
||||
(requestedAp.Write != currentAp.Write || requestedAp.Read != currentAp.Read)))
|
||||
.Select(ap => ap.ServiceAccountId!.Value)
|
||||
.ToList();
|
||||
|
||||
private static List<Guid> GetServiceAccountIds(IEnumerable<ServiceAccountProjectAccessPolicy> policies) =>
|
||||
policies.Select(ap => ap.ServiceAccountId!.Value).ToList();
|
||||
}
|
||||
@ -0,0 +1,10 @@
|
||||
#nullable enable
|
||||
using Bit.Core.SecretsManager.Models.Data;
|
||||
using Bit.Core.SecretsManager.Models.Data.AccessPolicyUpdates;
|
||||
|
||||
namespace Bit.Core.SecretsManager.Queries.AccessPolicies.Interfaces;
|
||||
|
||||
public interface IProjectServiceAccountsAccessPoliciesUpdatesQuery
|
||||
{
|
||||
Task<ProjectServiceAccountsAccessPoliciesUpdates> GetAsync(ProjectServiceAccountsAccessPolicies grantedPolicies);
|
||||
}
|
||||
@ -2,6 +2,7 @@
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.SecretsManager.Entities;
|
||||
using Bit.Core.SecretsManager.Models.Data;
|
||||
using Bit.Core.SecretsManager.Models.Data.AccessPolicyUpdates;
|
||||
|
||||
namespace Bit.Core.SecretsManager.Repositories;
|
||||
|
||||
@ -22,4 +23,6 @@ public interface IAccessPolicyRepository
|
||||
Task<ServiceAccountGrantedPoliciesPermissionDetails?> GetServiceAccountGrantedPoliciesPermissionDetailsAsync(
|
||||
Guid serviceAccountId, Guid userId, AccessClientType accessClientType);
|
||||
Task UpdateServiceAccountGrantedPoliciesAsync(ServiceAccountGrantedPoliciesUpdates policyUpdates);
|
||||
Task<ProjectServiceAccountsAccessPolicies?> GetProjectServiceAccountsAccessPoliciesAsync(Guid projectId);
|
||||
Task UpdateProjectServiceAccountsAccessPoliciesAsync(ProjectServiceAccountsAccessPoliciesUpdates updates);
|
||||
}
|
||||
|
||||
@ -16,6 +16,9 @@ public interface IServiceAccountRepository
|
||||
Task<bool> UserHasWriteAccessToServiceAccount(Guid id, Guid userId);
|
||||
Task<IEnumerable<ServiceAccount>> GetManyByOrganizationIdWriteAccessAsync(Guid organizationId, Guid userId, AccessClientType accessType);
|
||||
Task<(bool Read, bool Write)> AccessToServiceAccountAsync(Guid id, Guid userId, AccessClientType accessType);
|
||||
Task<Dictionary<Guid, (bool Read, bool Write)>> AccessToServiceAccountsAsync(IEnumerable<Guid> ids, Guid userId,
|
||||
AccessClientType accessType);
|
||||
Task<int> GetServiceAccountCountByOrganizationIdAsync(Guid organizationId);
|
||||
Task<IEnumerable<ServiceAccountSecretsDetails>> GetManyByOrganizationIdWithSecretsDetailsAsync(Guid organizationId, Guid userId, AccessClientType accessType);
|
||||
Task<bool> ServiceAccountsAreInOrganizationAsync(List<Guid> serviceAccountIds, Guid organizationId);
|
||||
}
|
||||
|
||||
@ -53,10 +53,25 @@ public class NoopServiceAccountRepository : IServiceAccountRepository
|
||||
return Task.FromResult((false, false));
|
||||
}
|
||||
|
||||
public Task<Dictionary<Guid, (bool Read, bool Write)>> AccessToServiceAccountsAsync(IEnumerable<Guid> ids,
|
||||
Guid userId, AccessClientType accessType)
|
||||
{
|
||||
return Task.FromResult(null as Dictionary<Guid, (bool Read, bool Write)>);
|
||||
}
|
||||
|
||||
public Task<int> GetServiceAccountCountByOrganizationIdAsync(Guid organizationId)
|
||||
{
|
||||
return Task.FromResult(0);
|
||||
}
|
||||
|
||||
public Task<IEnumerable<ServiceAccountSecretsDetails>> GetManyByOrganizationIdWithSecretsDetailsAsync(Guid organizationId, Guid userId, AccessClientType accessType) => throw new NotImplementedException();
|
||||
public Task<IEnumerable<ServiceAccountSecretsDetails>> GetManyByOrganizationIdWithSecretsDetailsAsync(
|
||||
Guid organizationId, Guid userId, AccessClientType accessType)
|
||||
{
|
||||
return Task.FromResult(null as IEnumerable<ServiceAccountSecretsDetails>);
|
||||
}
|
||||
|
||||
public Task<bool> ServiceAccountsAreInOrganizationAsync(List<Guid> serviceAccountIds, Guid organizationId)
|
||||
{
|
||||
return Task.FromResult(false);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user