[PM-19585] Use Authorize attributes for simple role authorization (#5555)

- Add Authorize<T> attribute - Add IOrganizationRequirement and example implementation - Add OrganizationRequirementHandler - Add extension methods (replacing ICurrentContext) - Move custom permissions claim definitions --- Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com> Co-authored-by: ✨ Audrey ✨ <ajensen@bitwarden.com>
2025-07-12 13:19:01 -05:00 · 2025-04-15 14:36:00 +10:00
parent c9a42d861c
commit 84a984a9e6
16 changed files with 590 additions and 16 deletions
--- a/src/Core/AdminConsole/Models/Data/Permissions.cs
+++ b/src/Core/AdminConsole/Models/Data/Permissions.cs
@ -1,4 +1,5 @@
 using System.Text.Json.Serialization;
+using Bit.Core.Identity;

 namespace Bit.Core.Models.Data;

@ -20,17 +21,17 @@ public class Permissions
    [JsonIgnore]
    public List<(bool Permission, string ClaimName)> ClaimsMap => new()
    {
-        (AccessEventLogs, "accesseventlogs"),
-        (AccessImportExport, "accessimportexport"),
-        (AccessReports, "accessreports"),
-        (CreateNewCollections, "createnewcollections"),
-        (EditAnyCollection, "editanycollection"),
-        (DeleteAnyCollection, "deleteanycollection"),
-        (ManageGroups, "managegroups"),
-        (ManagePolicies, "managepolicies"),
-        (ManageSso, "managesso"),
-        (ManageUsers, "manageusers"),
-        (ManageResetPassword, "manageresetpassword"),
-        (ManageScim, "managescim"),
+        (AccessEventLogs, Claims.CustomPermissions.AccessEventLogs),
+        (AccessImportExport, Claims.CustomPermissions.AccessImportExport),
+        (AccessReports, Claims.CustomPermissions.AccessReports),
+        (CreateNewCollections, Claims.CustomPermissions.CreateNewCollections),
+        (EditAnyCollection, Claims.CustomPermissions.EditAnyCollection),
+        (DeleteAnyCollection, Claims.CustomPermissions.DeleteAnyCollection),
+        (ManageGroups, Claims.CustomPermissions.ManageGroups),
+        (ManagePolicies, Claims.CustomPermissions.ManagePolicies),
+        (ManageSso, Claims.CustomPermissions.ManageSso),
+        (ManageUsers, Claims.CustomPermissions.ManageUsers),
+        (ManageResetPassword, Claims.CustomPermissions.ManageResetPassword),
+        (ManageScim, Claims.CustomPermissions.ManageScim),
    };
 }
--- a/src/Core/Identity/Claims.cs
+++ b/src/Core/Identity/Claims.cs
@ -22,4 +22,21 @@ public static class Claims

    // General
    public const string Type = "type";
+
+    // Organization custom permissions
+    public static class CustomPermissions
+    {
+        public const string AccessEventLogs = "accesseventlogs";
+        public const string AccessImportExport = "accessimportexport";
+        public const string AccessReports = "accessreports";
+        public const string CreateNewCollections = "createnewcollections";
+        public const string EditAnyCollection = "editanycollection";
+        public const string DeleteAnyCollection = "deleteanycollection";
+        public const string ManageGroups = "managegroups";
+        public const string ManagePolicies = "managepolicies";
+        public const string ManageSso = "managesso";
+        public const string ManageUsers = "manageusers";
+        public const string ManageResetPassword = "manageresetpassword";
+        public const string ManageScim = "managescim";
+    }
 }