mirror of
https://github.com/bitwarden/server.git
synced 2025-07-15 14:47:45 -05:00
[SM-923] Add project service accounts access policies management endpoints (#3993)
* Add new models * Update repositories * Add new authz handler * Add new query * Add new command * Add authz, command, and query to DI * Add new endpoint to controller * Add query unit tests * Add api unit tests * Add api integration tests
This commit is contained in:
Thomas Avery
@ -0,0 +1,14 @@
|
||||
#nullable enable
|
||||
using Microsoft.AspNetCore.Authorization.Infrastructure;
|
||||
|
||||
namespace Bit.Core.SecretsManager.AuthorizationRequirements;
|
||||
|
||||
public class ProjectServiceAccountsAccessPoliciesOperationRequirement : OperationAuthorizationRequirement
|
||||
{
|
||||
|
||||
}
|
||||
|
||||
public static class ProjectServiceAccountsAccessPoliciesOperations
|
||||
{
|
||||
public static readonly ProjectServiceAccountsAccessPoliciesOperationRequirement Updates = new() { Name = nameof(Updates) };
|
||||
}
|
||||
@ -0,0 +1,9 @@
|
||||
#nullable enable
|
||||
using Bit.Core.SecretsManager.Models.Data.AccessPolicyUpdates;
|
||||
|
||||
namespace Bit.Core.SecretsManager.Commands.AccessPolicies.Interfaces;
|
||||
|
||||
public interface IUpdateProjectServiceAccountsAccessPoliciesCommand
|
||||
{
|
||||
Task UpdateAsync(ProjectServiceAccountsAccessPoliciesUpdates accessPoliciesUpdates);
|
||||
}
|
||||
@ -0,0 +1,9 @@
|
||||
#nullable enable
|
||||
namespace Bit.Core.SecretsManager.Models.Data.AccessPolicyUpdates;
|
||||
|
||||
public class ProjectServiceAccountsAccessPoliciesUpdates
|
||||
{
|
||||
public Guid ProjectId { get; set; }
|
||||
public Guid OrganizationId { get; set; }
|
||||
public IEnumerable<ServiceAccountProjectAccessPolicyUpdate> ServiceAccountAccessPolicyUpdates { get; set; } = [];
|
||||
}
|
||||
@ -0,0 +1,80 @@
|
||||
#nullable enable
|
||||
using Bit.Core.SecretsManager.Entities;
|
||||
using Bit.Core.SecretsManager.Enums.AccessPolicies;
|
||||
using Bit.Core.SecretsManager.Models.Data.AccessPolicyUpdates;
|
||||
|
||||
namespace Bit.Core.SecretsManager.Models.Data;
|
||||
|
||||
public class ProjectServiceAccountsAccessPolicies
|
||||
{
|
||||
public ProjectServiceAccountsAccessPolicies()
|
||||
{
|
||||
}
|
||||
|
||||
public ProjectServiceAccountsAccessPolicies(Guid projectId,
|
||||
IEnumerable<BaseAccessPolicy> policies)
|
||||
{
|
||||
ProjectId = projectId;
|
||||
ServiceAccountAccessPolicies = policies
|
||||
.OfType<ServiceAccountProjectAccessPolicy>()
|
||||
.ToList();
|
||||
|
||||
var project = ServiceAccountAccessPolicies.FirstOrDefault()?.GrantedProject;
|
||||
if (project != null)
|
||||
{
|
||||
OrganizationId = project.OrganizationId;
|
||||
}
|
||||
}
|
||||
|
||||
public Guid ProjectId { get; set; }
|
||||
public Guid OrganizationId { get; set; }
|
||||
public IEnumerable<ServiceAccountProjectAccessPolicy> ServiceAccountAccessPolicies { get; set; } = [];
|
||||
|
||||
public ProjectServiceAccountsAccessPoliciesUpdates GetPolicyUpdates(ProjectServiceAccountsAccessPolicies requested)
|
||||
{
|
||||
var currentServiceAccountIds = GetServiceAccountIds(ServiceAccountAccessPolicies);
|
||||
var requestedServiceAccountIds = GetServiceAccountIds(requested.ServiceAccountAccessPolicies);
|
||||
|
||||
var serviceAccountIdsToBeDeleted = currentServiceAccountIds.Except(requestedServiceAccountIds).ToList();
|
||||
var serviceAccountIdsToBeCreated = requestedServiceAccountIds.Except(currentServiceAccountIds).ToList();
|
||||
var serviceAccountIdsToBeUpdated = GetServiceAccountIdsToBeUpdated(requested);
|
||||
|
||||
var policiesToBeDeleted =
|
||||
CreatePolicyUpdates(ServiceAccountAccessPolicies, serviceAccountIdsToBeDeleted,
|
||||
AccessPolicyOperation.Delete);
|
||||
var policiesToBeCreated = CreatePolicyUpdates(requested.ServiceAccountAccessPolicies,
|
||||
serviceAccountIdsToBeCreated,
|
||||
AccessPolicyOperation.Create);
|
||||
var policiesToBeUpdated = CreatePolicyUpdates(requested.ServiceAccountAccessPolicies,
|
||||
serviceAccountIdsToBeUpdated,
|
||||
AccessPolicyOperation.Update);
|
||||
|
||||
return new ProjectServiceAccountsAccessPoliciesUpdates
|
||||
{
|
||||
OrganizationId = OrganizationId,
|
||||
ProjectId = ProjectId,
|
||||
ServiceAccountAccessPolicyUpdates =
|
||||
policiesToBeDeleted.Concat(policiesToBeCreated).Concat(policiesToBeUpdated)
|
||||
};
|
||||
}
|
||||
|
||||
private static List<ServiceAccountProjectAccessPolicyUpdate> CreatePolicyUpdates(
|
||||
IEnumerable<ServiceAccountProjectAccessPolicy> policies, List<Guid> serviceAccountIds,
|
||||
AccessPolicyOperation operation) =>
|
||||
policies
|
||||
.Where(ap => serviceAccountIds.Contains(ap.ServiceAccountId!.Value))
|
||||
.Select(ap => new ServiceAccountProjectAccessPolicyUpdate { Operation = operation, AccessPolicy = ap })
|
||||
.ToList();
|
||||
|
||||
private List<Guid> GetServiceAccountIdsToBeUpdated(ProjectServiceAccountsAccessPolicies requested) =>
|
||||
ServiceAccountAccessPolicies
|
||||
.Where(currentAp => requested.ServiceAccountAccessPolicies.Any(requestedAp =>
|
||||
requestedAp.GrantedProjectId == currentAp.GrantedProjectId &&
|
||||
requestedAp.ServiceAccountId == currentAp.ServiceAccountId &&
|
||||
(requestedAp.Write != currentAp.Write || requestedAp.Read != currentAp.Read)))
|
||||
.Select(ap => ap.ServiceAccountId!.Value)
|
||||
.ToList();
|
||||
|
||||
private static List<Guid> GetServiceAccountIds(IEnumerable<ServiceAccountProjectAccessPolicy> policies) =>
|
||||
policies.Select(ap => ap.ServiceAccountId!.Value).ToList();
|
||||
}
|
||||
@ -0,0 +1,10 @@
|
||||
#nullable enable
|
||||
using Bit.Core.SecretsManager.Models.Data;
|
||||
using Bit.Core.SecretsManager.Models.Data.AccessPolicyUpdates;
|
||||
|
||||
namespace Bit.Core.SecretsManager.Queries.AccessPolicies.Interfaces;
|
||||
|
||||
public interface IProjectServiceAccountsAccessPoliciesUpdatesQuery
|
||||
{
|
||||
Task<ProjectServiceAccountsAccessPoliciesUpdates> GetAsync(ProjectServiceAccountsAccessPolicies grantedPolicies);
|
||||
}
|
||||
@ -2,6 +2,7 @@
|
||||
using Bit.Core.Enums;
|
||||
using Bit.Core.SecretsManager.Entities;
|
||||
using Bit.Core.SecretsManager.Models.Data;
|
||||
using Bit.Core.SecretsManager.Models.Data.AccessPolicyUpdates;
|
||||
|
||||
namespace Bit.Core.SecretsManager.Repositories;
|
||||
|
||||
@ -22,4 +23,6 @@ public interface IAccessPolicyRepository
|
||||
Task<ServiceAccountGrantedPoliciesPermissionDetails?> GetServiceAccountGrantedPoliciesPermissionDetailsAsync(
|
||||
Guid serviceAccountId, Guid userId, AccessClientType accessClientType);
|
||||
Task UpdateServiceAccountGrantedPoliciesAsync(ServiceAccountGrantedPoliciesUpdates policyUpdates);
|
||||
Task<ProjectServiceAccountsAccessPolicies?> GetProjectServiceAccountsAccessPoliciesAsync(Guid projectId);
|
||||
Task UpdateProjectServiceAccountsAccessPoliciesAsync(ProjectServiceAccountsAccessPoliciesUpdates updates);
|
||||
}
|
||||
|
||||
@ -16,6 +16,9 @@ public interface IServiceAccountRepository
|
||||
Task<bool> UserHasWriteAccessToServiceAccount(Guid id, Guid userId);
|
||||
Task<IEnumerable<ServiceAccount>> GetManyByOrganizationIdWriteAccessAsync(Guid organizationId, Guid userId, AccessClientType accessType);
|
||||
Task<(bool Read, bool Write)> AccessToServiceAccountAsync(Guid id, Guid userId, AccessClientType accessType);
|
||||
Task<Dictionary<Guid, (bool Read, bool Write)>> AccessToServiceAccountsAsync(IEnumerable<Guid> ids, Guid userId,
|
||||
AccessClientType accessType);
|
||||
Task<int> GetServiceAccountCountByOrganizationIdAsync(Guid organizationId);
|
||||
Task<IEnumerable<ServiceAccountSecretsDetails>> GetManyByOrganizationIdWithSecretsDetailsAsync(Guid organizationId, Guid userId, AccessClientType accessType);
|
||||
Task<bool> ServiceAccountsAreInOrganizationAsync(List<Guid> serviceAccountIds, Guid organizationId);
|
||||
}
|
||||
|
||||
@ -53,10 +53,25 @@ public class NoopServiceAccountRepository : IServiceAccountRepository
|
||||
return Task.FromResult((false, false));
|
||||
}
|
||||
|
||||
public Task<Dictionary<Guid, (bool Read, bool Write)>> AccessToServiceAccountsAsync(IEnumerable<Guid> ids,
|
||||
Guid userId, AccessClientType accessType)
|
||||
{
|
||||
return Task.FromResult(null as Dictionary<Guid, (bool Read, bool Write)>);
|
||||
}
|
||||
|
||||
public Task<int> GetServiceAccountCountByOrganizationIdAsync(Guid organizationId)
|
||||
{
|
||||
return Task.FromResult(0);
|
||||
}
|
||||
|
||||
public Task<IEnumerable<ServiceAccountSecretsDetails>> GetManyByOrganizationIdWithSecretsDetailsAsync(Guid organizationId, Guid userId, AccessClientType accessType) => throw new NotImplementedException();
|
||||
public Task<IEnumerable<ServiceAccountSecretsDetails>> GetManyByOrganizationIdWithSecretsDetailsAsync(
|
||||
Guid organizationId, Guid userId, AccessClientType accessType)
|
||||
{
|
||||
return Task.FromResult(null as IEnumerable<ServiceAccountSecretsDetails>);
|
||||
}
|
||||
|
||||
public Task<bool> ServiceAccountsAreInOrganizationAsync(List<Guid> serviceAccountIds, Guid organizationId)
|
||||
{
|
||||
return Task.FromResult(false);
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user