[SM-923] Add project service accounts access policies management endpoints (#3993)

* Add new models * Update repositories * Add new authz handler * Add new query * Add new command * Add authz, command, and query to DI * Add new endpoint to controller * Add query unit tests * Add api unit tests * Add api integration tests
2025-07-02 16:42:50 -05:00 · 2024-05-02 11:06:20 -05:00
parent e302ee1520
commit 7f8cea58d0
23 changed files with 1559 additions and 29 deletions
--- a/src/Api/SecretsManager/Controllers/AccessPoliciesController.cs
+++ b/src/Api/SecretsManager/Controllers/AccessPoliciesController.cs
@ -29,8 +29,10 @@ public class AccessPoliciesController : Controller
    private readonly IServiceAccountRepository _serviceAccountRepository;
    private readonly IUpdateAccessPolicyCommand _updateAccessPolicyCommand;
    private readonly IUpdateServiceAccountGrantedPoliciesCommand _updateServiceAccountGrantedPoliciesCommand;
+    private readonly IUpdateProjectServiceAccountsAccessPoliciesCommand _updateProjectServiceAccountsAccessPoliciesCommand;
    private readonly IAccessClientQuery _accessClientQuery;
    private readonly IServiceAccountGrantedPolicyUpdatesQuery _serviceAccountGrantedPolicyUpdatesQuery;
+    private readonly IProjectServiceAccountsAccessPoliciesUpdatesQuery _projectServiceAccountsAccessPoliciesUpdatesQuery;
    private readonly IUserService _userService;
    private readonly IAuthorizationService _authorizationService;

@ -43,9 +45,11 @@ public class AccessPoliciesController : Controller
        IProjectRepository projectRepository,
        IAccessClientQuery accessClientQuery,
        IServiceAccountGrantedPolicyUpdatesQuery serviceAccountGrantedPolicyUpdatesQuery,
+        IProjectServiceAccountsAccessPoliciesUpdatesQuery projectServiceAccountsAccessPoliciesUpdatesQuery,
        IUpdateServiceAccountGrantedPoliciesCommand updateServiceAccountGrantedPoliciesCommand,
        ICreateAccessPoliciesCommand createAccessPoliciesCommand,
        IDeleteAccessPolicyCommand deleteAccessPolicyCommand,
+        IUpdateProjectServiceAccountsAccessPoliciesCommand updateProjectServiceAccountsAccessPoliciesCommand,
        IUpdateAccessPolicyCommand updateAccessPolicyCommand)
    {
        _authorizationService = authorizationService;
@ -60,6 +64,8 @@ public class AccessPoliciesController : Controller
        _updateServiceAccountGrantedPoliciesCommand = updateServiceAccountGrantedPoliciesCommand;
        _accessClientQuery = accessClientQuery;
        _serviceAccountGrantedPolicyUpdatesQuery = serviceAccountGrantedPolicyUpdatesQuery;
+        _projectServiceAccountsAccessPoliciesUpdatesQuery = projectServiceAccountsAccessPoliciesUpdatesQuery;
+        _updateProjectServiceAccountsAccessPoliciesCommand = updateProjectServiceAccountsAccessPoliciesCommand;
    }

    [HttpPost("/projects/{id}/access-policies")]
@ -296,6 +302,41 @@ public class AccessPoliciesController : Controller
        return await GetServiceAccountGrantedPoliciesAsync(serviceAccount);
    }

+    [HttpGet("/projects/{id}/access-policies/service-accounts")]
+    public async Task<ProjectServiceAccountsAccessPoliciesResponseModel>
+        GetProjectServiceAccountsAccessPoliciesAsync(
+            [FromRoute] Guid id)
+    {
+        var project = await _projectRepository.GetByIdAsync(id);
+        await CheckUserHasWriteAccessToProjectAsync(project);
+        var results =
+            await _accessPolicyRepository.GetProjectServiceAccountsAccessPoliciesAsync(id);
+        return new ProjectServiceAccountsAccessPoliciesResponseModel(results);
+    }
+
+    [HttpPut("/projects/{id}/access-policies/service-accounts")]
+    public async Task<ProjectServiceAccountsAccessPoliciesResponseModel>
+        PutProjectServiceAccountsAccessPoliciesAsync([FromRoute] Guid id,
+            [FromBody] ProjectServiceAccountsAccessPoliciesRequestModel request)
+    {
+        var project = await _projectRepository.GetByIdAsync(id) ?? throw new NotFoundException();
+        var accessPoliciesUpdates =
+            await _projectServiceAccountsAccessPoliciesUpdatesQuery.GetAsync(
+                request.ToProjectServiceAccountsAccessPolicies(project));
+
+        var authorizationResult = await _authorizationService.AuthorizeAsync(User, accessPoliciesUpdates,
+            ProjectServiceAccountsAccessPoliciesOperations.Updates);
+        if (!authorizationResult.Succeeded)
+        {
+            throw new NotFoundException();
+        }
+
+        await _updateProjectServiceAccountsAccessPoliciesCommand.UpdateAsync(accessPoliciesUpdates);
+
+        var results = await _accessPolicyRepository.GetProjectServiceAccountsAccessPoliciesAsync(id);
+        return new ProjectServiceAccountsAccessPoliciesResponseModel(results);
+    }
+
    private async Task<(AccessClientType AccessClientType, Guid UserId)> CheckUserHasWriteAccessToProjectAsync(Project project)
    {
        if (project == null)
--- a/src/Api/SecretsManager/Models/Request/ProjectServiceAccountsAccessPoliciesRequestModel.cs
+++ b/src/Api/SecretsManager/Models/Request/ProjectServiceAccountsAccessPoliciesRequestModel.cs
@ -0,0 +1,28 @@
+#nullable enable
+using Bit.Api.SecretsManager.Utilities;
+using Bit.Core.SecretsManager.Entities;
+using Bit.Core.SecretsManager.Models.Data;
+
+namespace Bit.Api.SecretsManager.Models.Request;
+
+public class ProjectServiceAccountsAccessPoliciesRequestModel
+{
+    public required IEnumerable<AccessPolicyRequest> ServiceAccountAccessPolicyRequests { get; set; }
+
+    public ProjectServiceAccountsAccessPolicies ToProjectServiceAccountsAccessPolicies(Project project)
+    {
+        var serviceAccountAccessPolicies = ServiceAccountAccessPolicyRequests
+            .Select(x => x.ToServiceAccountProjectAccessPolicy(project.Id, project.OrganizationId))
+            .ToList();
+
+        AccessPolicyHelpers.CheckForDistinctAccessPolicies(serviceAccountAccessPolicies);
+        AccessPolicyHelpers.CheckAccessPoliciesHaveReadPermission(serviceAccountAccessPolicies);
+
+        return new ProjectServiceAccountsAccessPolicies
+        {
+            ProjectId = project.Id,
+            OrganizationId = project.OrganizationId,
+            ServiceAccountAccessPolicies = serviceAccountAccessPolicies
+        };
+    }
+}
--- a/src/Api/SecretsManager/Models/Response/ProjectServiceAccountsAccessPoliciesResponseModel.cs
+++ b/src/Api/SecretsManager/Models/Response/ProjectServiceAccountsAccessPoliciesResponseModel.cs
@ -0,0 +1,29 @@
+#nullable enable
+using Bit.Core.Models.Api;
+using Bit.Core.SecretsManager.Models.Data;
+
+namespace Bit.Api.SecretsManager.Models.Response;
+
+public class ProjectServiceAccountsAccessPoliciesResponseModel : ResponseModel
+{
+    private const string _objectName = "ProjectServiceAccountsAccessPolicies";
+
+    public ProjectServiceAccountsAccessPoliciesResponseModel(
+        ProjectServiceAccountsAccessPolicies? projectServiceAccountsAccessPolicies)
+        : base(_objectName)
+    {
+        if (projectServiceAccountsAccessPolicies == null)
+        {
+            return;
+        }
+
+        ServiceAccountAccessPolicies = projectServiceAccountsAccessPolicies.ServiceAccountAccessPolicies
+            .Select(x => new ServiceAccountProjectAccessPolicyResponseModel(x)).ToList();
+    }
+
+    public ProjectServiceAccountsAccessPoliciesResponseModel() : base(_objectName)
+    {
+    }
+
+    public List<ServiceAccountProjectAccessPolicyResponseModel> ServiceAccountAccessPolicies { get; set; } = [];
+}