[PM-14378] SecurityTask Authorization Handler (#5039)

* [PM-14378] Introduce GetCipherPermissionsForOrganization query for Dapper CipherRepository

* [PM-14378] Introduce GetCipherPermissionsForOrganization method for Entity Framework

* [PM-14378] Add integration tests for new repository method

* [PM-14378] Introduce IGetCipherPermissionsForUserQuery CQRS query

* [PM-14378] Introduce SecurityTaskOperationRequirement

* [PM-14378] Introduce SecurityTaskAuthorizationHandler.cs

* [PM-14378] Introduce SecurityTaskOrganizationAuthorizationHandler.cs

* [PM-14378] Register new authorization handlers

* [PM-14378] Formatting

* [PM-14378] Add unit tests for GetCipherPermissionsForUserQuery

* [PM-15378] Cleanup SecurityTaskAuthorizationHandler and add tests

* [PM-14378] Add tests for SecurityTaskOrganizationAuthorizationHandler

* [PM-14378] Formatting

* [PM-14378] Update date in migration file

* [PM-14378] Add missing awaits

* [PM-14378] Bump migration script date

* [PM-14378] Remove Unassigned property from OrganizationCipherPermission as it was making the query too complicated

* [PM-14378] Update sproc to use Union All to improve query performance

* [PM-14378] Bump migration script date

test/Infrastructure.IntegrationTest/Vault/Repositories/CipherRepositoryTests.cs

@@ -1,5 +1,6 @@
 using System.Text.Json;
 using Bit.Core.AdminConsole.Entities;
+using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data;
@@ -198,4 +199,238 @@ public class CipherRepositoryTests
         Assert.NotEqual(default, userProperty);
         Assert.Equal(folder.Id, userProperty.Value.GetGuid());
     }
+
+    [DatabaseTheory, DatabaseData]
+    public async Task GetCipherPermissionsForOrganizationAsync_Works(
+        ICipherRepository cipherRepository,
+        IUserRepository userRepository,
+        ICollectionCipherRepository collectionCipherRepository,
+        ICollectionRepository collectionRepository,
+        IOrganizationRepository organizationRepository,
+        IOrganizationUserRepository organizationUserRepository,
+        IGroupRepository groupRepository
+        )
+    {
+
+        var user = await userRepository.CreateAsync(new User
+        {
+            Name = "Test User",
+            Email = $"test+{Guid.NewGuid()}@email.com",
+            ApiKey = "TEST",
+            SecurityStamp = "stamp",
+        });
+
+        var organization = await organizationRepository.CreateAsync(new Organization
+        {
+            Name = "Test Organization",
+            BillingEmail = user.Email,
+            Plan = "Test"
+        });
+
+        var orgUser = await organizationUserRepository.CreateAsync(new OrganizationUser
+        {
+            UserId = user.Id,
+            OrganizationId = organization.Id,
+            Status = OrganizationUserStatusType.Confirmed,
+            Type = OrganizationUserType.Owner,
+        });
+
+        // A group that will be assigned Edit permissions to any collections
+        var editGroup = await groupRepository.CreateAsync(new Group
+        {
+            OrganizationId = organization.Id,
+            Name = "Edit Group",
+        });
+        await groupRepository.UpdateUsersAsync(editGroup.Id, new[] { orgUser.Id });
+
+        // MANAGE
+
+        var manageCollection = await collectionRepository.CreateAsync(new Collection
+        {
+            Name = "Manage Collection",
+            OrganizationId = organization.Id
+        });
+
+        var manageCipher = await cipherRepository.CreateAsync(new Cipher
+        {
+            Type = CipherType.Login,
+            OrganizationId = organization.Id,
+            Data = ""
+        });
+
+        await collectionCipherRepository.UpdateCollectionsForAdminAsync(manageCipher.Id, organization.Id,
+            new List<Guid> { manageCollection.Id });
+
+        await collectionRepository.UpdateUsersAsync(manageCollection.Id, new List<CollectionAccessSelection>
+        {
+            new()
+            {
+                Id = orgUser.Id,
+                HidePasswords = false,
+                ReadOnly = false,
+                Manage = true
+            }
+        });
+
+        // EDIT
+
+        var editCollection = await collectionRepository.CreateAsync(new Collection
+        {
+            Name = "Edit Collection",
+            OrganizationId = organization.Id
+        });
+
+        var editCipher = await cipherRepository.CreateAsync(new Cipher
+        {
+            Type = CipherType.Login,
+            OrganizationId = organization.Id,
+            Data = ""
+        });
+
+        await collectionCipherRepository.UpdateCollectionsForAdminAsync(editCipher.Id, organization.Id,
+            new List<Guid> { editCollection.Id });
+
+        await collectionRepository.UpdateUsersAsync(editCollection.Id,
+            new List<CollectionAccessSelection>
+            {
+                new() { Id = orgUser.Id, HidePasswords = false, ReadOnly = false, Manage = false }
+            });
+
+        // EDIT EXCEPT PASSWORD
+
+        var editExceptPasswordCollection = await collectionRepository.CreateAsync(new Collection
+        {
+            Name = "Edit Except Password Collection",
+            OrganizationId = organization.Id
+        });
+
+        var editExceptPasswordCipher = await cipherRepository.CreateAsync(new Cipher
+        {
+            Type = CipherType.Login,
+            OrganizationId = organization.Id,
+            Data = ""
+        });
+
+        await collectionCipherRepository.UpdateCollectionsForAdminAsync(editExceptPasswordCipher.Id, organization.Id,
+            new List<Guid> { editExceptPasswordCollection.Id });
+
+        await collectionRepository.UpdateUsersAsync(editExceptPasswordCollection.Id, new List<CollectionAccessSelection>
+        {
+            new() { Id = orgUser.Id, HidePasswords = true, ReadOnly = false, Manage = false }
+        });
+
+        // VIEW ONLY
+
+        var viewOnlyCollection = await collectionRepository.CreateAsync(new Collection
+        {
+            Name = "View Only Collection",
+            OrganizationId = organization.Id
+        });
+
+        var viewOnlyCipher = await cipherRepository.CreateAsync(new Cipher
+        {
+            Type = CipherType.Login,
+            OrganizationId = organization.Id,
+            Data = ""
+        });
+
+        await collectionCipherRepository.UpdateCollectionsForAdminAsync(viewOnlyCipher.Id, organization.Id,
+            new List<Guid> { viewOnlyCollection.Id });
+
+        await collectionRepository.UpdateUsersAsync(viewOnlyCollection.Id,
+            new List<CollectionAccessSelection>
+            {
+                new() { Id = orgUser.Id, HidePasswords = false, ReadOnly = true, Manage = false }
+            });
+
+        // Assign the EditGroup to this View Only collection. The user belongs to this group.
+        // The user permissions specified above (ViewOnly) should take precedence.
+        await groupRepository.ReplaceAsync(editGroup,
+            new[]
+            {
+                new CollectionAccessSelection
+                {
+                    Id = viewOnlyCollection.Id, HidePasswords = false, ReadOnly = false, Manage = false
+                },
+            });
+
+        // VIEW EXCEPT PASSWORD
+
+        var viewExceptPasswordCollection = await collectionRepository.CreateAsync(new Collection
+        {
+            Name = "View Except Password Collection",
+            OrganizationId = organization.Id
+        });
+
+        var viewExceptPasswordCipher = await cipherRepository.CreateAsync(new Cipher
+        {
+            Type = CipherType.Login,
+            OrganizationId = organization.Id,
+            Data = ""
+        });
+
+        await collectionCipherRepository.UpdateCollectionsForAdminAsync(viewExceptPasswordCipher.Id, organization.Id,
+            new List<Guid> { viewExceptPasswordCollection.Id });
+
+        await collectionRepository.UpdateUsersAsync(viewExceptPasswordCollection.Id,
+            new List<CollectionAccessSelection>
+            {
+                new() { Id = orgUser.Id, HidePasswords = true, ReadOnly = true, Manage = false }
+            });
+
+        // UNASSIGNED
+
+        var unassignedCipher = await cipherRepository.CreateAsync(new Cipher
+        {
+            Type = CipherType.Login,
+            OrganizationId = organization.Id,
+            Data = ""
+        });
+
+        var permissions = await cipherRepository.GetCipherPermissionsForOrganizationAsync(organization.Id, user.Id);
+
+        Assert.NotEmpty(permissions);
+
+        var manageCipherPermission = permissions.FirstOrDefault(c => c.Id == manageCipher.Id);
+        Assert.NotNull(manageCipherPermission);
+        Assert.True(manageCipherPermission.Manage);
+        Assert.True(manageCipherPermission.Edit);
+        Assert.True(manageCipherPermission.Read);
+        Assert.True(manageCipherPermission.ViewPassword);
+
+        var editCipherPermission = permissions.FirstOrDefault(c => c.Id == editCipher.Id);
+        Assert.NotNull(editCipherPermission);
+        Assert.False(editCipherPermission.Manage);
+        Assert.True(editCipherPermission.Edit);
+        Assert.True(editCipherPermission.Read);
+        Assert.True(editCipherPermission.ViewPassword);
+
+        var editExceptPasswordCipherPermission = permissions.FirstOrDefault(c => c.Id == editExceptPasswordCipher.Id);
+        Assert.NotNull(editExceptPasswordCipherPermission);
+        Assert.False(editExceptPasswordCipherPermission.Manage);
+        Assert.True(editExceptPasswordCipherPermission.Edit);
+        Assert.True(editExceptPasswordCipherPermission.Read);
+        Assert.False(editExceptPasswordCipherPermission.ViewPassword);
+
+        var viewOnlyCipherPermission = permissions.FirstOrDefault(c => c.Id == viewOnlyCipher.Id);
+        Assert.NotNull(viewOnlyCipherPermission);
+        Assert.False(viewOnlyCipherPermission.Manage);
+        Assert.False(viewOnlyCipherPermission.Edit);
+        Assert.True(viewOnlyCipherPermission.Read);
+        Assert.True(viewOnlyCipherPermission.ViewPassword);
+
+        var viewExceptPasswordCipherPermission = permissions.FirstOrDefault(c => c.Id == viewExceptPasswordCipher.Id);
+        Assert.NotNull(viewExceptPasswordCipherPermission);
+        Assert.False(viewExceptPasswordCipherPermission.Manage);
+        Assert.False(viewExceptPasswordCipherPermission.Edit);
+        Assert.True(viewExceptPasswordCipherPermission.Read);
+        Assert.False(viewExceptPasswordCipherPermission.ViewPassword);
+
+        var unassignedCipherPermission = permissions.FirstOrDefault(c => c.Id == unassignedCipher.Id);
+        Assert.NotNull(unassignedCipherPermission);
+        Assert.False(unassignedCipherPermission.Manage);
+        Assert.False(unassignedCipherPermission.Edit);
+        Assert.False(unassignedCipherPermission.Read);
+        Assert.False(unassignedCipherPermission.ViewPassword);
+    }
 }