nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-07-01 08:02:49 -05:00
Code Activity

[SM-382] Service Account access policy checks (#2603)

Browse Source 
The purpose of this PR is to add access policy checks to service account endpoints.
This commit is contained in:
Thomas Avery
2023-01-24 09:50:04 -06:00
committed by GitHub
parent bdea036c1f
commit aa9f859306
17 changed files with 691 additions and 101 deletions
Download Patch File Download Diff File Expand all files Collapse all files

70
src/Api/Controllers/ServiceAccountsController.cs
View File

@ -3,9 +3,13 @@ using Bit.Api.Models.Response.SecretsManager;
using Bit.Api.SecretManagerFeatures.Models.Request;
using Bit.Api.SecretManagerFeatures.Models.Response;
using Bit.Api.Utilities;
using Bit.Core.Context;
using Bit.Core.Enums;
using Bit.Core.Exceptions;
using Bit.Core.Repositories;
using Bit.Core.SecretManagerFeatures.AccessTokens.Interfaces;
using Bit.Core.SecretManagerFeatures.ServiceAccounts.Interfaces;
using Bit.Core.Services;
using Microsoft.AspNetCore.Mvc;
namespace Bit.Api.Controllers;
@ -14,59 +18,105 @@ namespace Bit.Api.Controllers;
[Route("service-accounts")]
public class ServiceAccountsController : Controller
{
private readonly IServiceAccountRepository _serviceAccountRepository;
private readonly IApiKeyRepository _apiKeyRepository;
private readonly ICreateServiceAccountCommand _createServiceAccountCommand;
private readonly ICreateAccessTokenCommand _createAccessTokenCommand;
private readonly ICreateServiceAccountCommand _createServiceAccountCommand;
private readonly ICurrentContext _currentContext;
private readonly IServiceAccountRepository _serviceAccountRepository;
private readonly IUpdateServiceAccountCommand _updateServiceAccountCommand;
private readonly IUserService _userService;
public ServiceAccountsController(
IUserService userService,
IServiceAccountRepository serviceAccountRepository,
ICreateAccessTokenCommand createAccessTokenCommand,
IApiKeyRepository apiKeyRepository, ICreateServiceAccountCommand createServiceAccountCommand,
IUpdateServiceAccountCommand updateServiceAccountCommand)
IUpdateServiceAccountCommand updateServiceAccountCommand,
ICurrentContext currentContext)
{
_userService = userService;
_serviceAccountRepository = serviceAccountRepository;
_apiKeyRepository = apiKeyRepository;
_createServiceAccountCommand = createServiceAccountCommand;
_updateServiceAccountCommand = updateServiceAccountCommand;
_createAccessTokenCommand = createAccessTokenCommand;
_currentContext = currentContext;
}
[HttpGet("/organizations/{organizationId}/service-accounts")]
public async Task<ListResponseModel<ServiceAccountResponseModel>> GetServiceAccountsByOrganizationAsync([FromRoute] Guid organizationId)
public async Task<ListResponseModel<ServiceAccountResponseModel>> GetServiceAccountsByOrganizationAsync(
[FromRoute] Guid organizationId)
{
var serviceAccounts = await _serviceAccountRepository.GetManyByOrganizationIdAsync(organizationId);
var userId = _userService.GetProperUserId(User).Value;
var orgAdmin = await _currentContext.OrganizationAdmin(organizationId);
var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
var serviceAccounts =
await _serviceAccountRepository.GetManyByOrganizationIdAsync(organizationId, userId, accessClient);
var responses = serviceAccounts.Select(serviceAccount => new ServiceAccountResponseModel(serviceAccount));
return new ListResponseModel<ServiceAccountResponseModel>(responses);
}
[HttpPost("/organizations/{organizationId}/service-accounts")]
public async Task<ServiceAccountResponseModel> CreateServiceAccountAsync([FromRoute] Guid organizationId, [FromBody] ServiceAccountCreateRequestModel createRequest)
public async Task<ServiceAccountResponseModel> CreateServiceAccountAsync([FromRoute] Guid organizationId,
[FromBody] ServiceAccountCreateRequestModel createRequest)
{
if (!await _currentContext.OrganizationUser(organizationId))
{
throw new NotFoundException();
}
var result = await _createServiceAccountCommand.CreateAsync(createRequest.ToServiceAccount(organizationId));
return new ServiceAccountResponseModel(result);
}
[HttpPut("{id}")]
public async Task<ServiceAccountResponseModel> UpdateServiceAccountAsync([FromRoute] Guid id, [FromBody] ServiceAccountUpdateRequestModel updateRequest)
public async Task<ServiceAccountResponseModel> UpdateServiceAccountAsync([FromRoute] Guid id,
[FromBody] ServiceAccountUpdateRequestModel updateRequest)
{
var result = await _updateServiceAccountCommand.UpdateAsync(updateRequest.ToServiceAccount(id));
var userId = _userService.GetProperUserId(User).Value;
var result = await _updateServiceAccountCommand.UpdateAsync(updateRequest.ToServiceAccount(id), userId);
return new ServiceAccountResponseModel(result);
}
[HttpGet("{id}/access-tokens")]
public async Task<ListResponseModel<AccessTokenResponseModel>> GetAccessTokens([FromRoute] Guid id)
{
var userId = _userService.GetProperUserId(User).Value;
var serviceAccount = await _serviceAccountRepository.GetByIdAsync(id);
if (serviceAccount == null)
{
throw new NotFoundException();
}
var orgAdmin = await _currentContext.OrganizationAdmin(serviceAccount.OrganizationId);
var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
var hasAccess = accessClient switch
{
AccessClientType.NoAccessCheck => true,
AccessClientType.User => await _serviceAccountRepository.UserHasReadAccessToServiceAccount(id, userId),
_ => false,
};
if (!hasAccess)
{
throw new NotFoundException();
}
var accessTokens = await _apiKeyRepository.GetManyByServiceAccountIdAsync(id);
var responses = accessTokens.Select(token => new AccessTokenResponseModel(token));
return new ListResponseModel<AccessTokenResponseModel>(responses);
}
[HttpPost("{id}/access-tokens")]
public async Task<AccessTokenCreationResponseModel> CreateAccessTokenAsync([FromRoute] Guid id, [FromBody] AccessTokenCreateRequestModel request)
public async Task<AccessTokenCreationResponseModel> CreateAccessTokenAsync([FromRoute] Guid id,
[FromBody] AccessTokenCreateRequestModel request)
{
var result = await _createAccessTokenCommand.CreateAsync(request.ToApiKey(id));
var userId = _userService.GetProperUserId(User).Value;
var result = await _createAccessTokenCommand.CreateAsync(request.ToApiKey(id), userId);
return new AccessTokenCreationResponseModel(result);
}
}

12
src/Api/Models/Response/SecretsManager/AccessTokenResponseModel.cs
View File

@ -17,11 +17,11 @@ public class AccessTokenResponseModel : ResponseModel
RevisionDate = apiKey.RevisionDate;
}
public Guid Id { get; }
public string Name { get; }
public ICollection<string> Scopes { get; }
public Guid Id { get; set; }
public string Name { get; set; }
public ICollection<string> Scopes { get; set; }
public DateTime? ExpireAt { get; }
public DateTime CreationDate { get; }
public DateTime RevisionDate { get; }
public DateTime? ExpireAt { get; set; }
public DateTime CreationDate { get; set; }
public DateTime RevisionDate { get; set; }
}

1
src/Api/SecretManagerFeatures/Models/Response/ServiceAccountResponseModel.cs
View File

@ -35,4 +35,3 @@ public class ServiceAccountResponseModel : ResponseModel
public DateTime RevisionDate { get; set; }
}

5
src/Core/Repositories/IServiceAccountRepository.cs
View File

@ -1,11 +1,14 @@
using Bit.Core.Entities;
using Bit.Core.Enums;
namespace Bit.Core.Repositories;
public interface IServiceAccountRepository
{
Task<IEnumerable<ServiceAccount>> GetManyByOrganizationIdAsync(Guid organizationId);
Task<IEnumerable<ServiceAccount>> GetManyByOrganizationIdAsync(Guid organizationId, Guid userId, AccessClientType accessType);
Task<ServiceAccount> GetByIdAsync(Guid id);
Task<ServiceAccount> CreateAsync(ServiceAccount serviceAccount);
Task ReplaceAsync(ServiceAccount serviceAccount);
Task<bool> UserHasReadAccessToServiceAccount(Guid id, Guid userId);
Task<bool> UserHasWriteAccessToServiceAccount(Guid id, Guid userId);
}

2
src/Core/SecretManagerFeatures/AccessTokens/Interfaces/ICreateAccessTokenCommand.cs
View File

@ -4,5 +4,5 @@ namespace Bit.Core.SecretManagerFeatures.AccessTokens.Interfaces;
public interface ICreateAccessTokenCommand
{
Task<ApiKey> CreateAsync(ApiKey apiKey);
Task<ApiKey> CreateAsync(ApiKey apiKey, Guid userId);
}

2
src/Core/SecretManagerFeatures/ServiceAccounts/Interfaces/IUpdateServiceAccountCommand.cs
View File

@ -4,5 +4,5 @@ namespace Bit.Core.SecretManagerFeatures.ServiceAccounts.Interfaces;
public interface IUpdateServiceAccountCommand
{
Task<ServiceAccount> UpdateAsync(ServiceAccount serviceAccount);
Task<ServiceAccount> UpdateAsync(ServiceAccount serviceAccount, Guid userId);
}

3
src/Infrastructure.EntityFramework/Models/AccessPolicy.cs
View File

@ -13,7 +13,10 @@ public class AccessPolicyMapperProfile : Profile
{
CreateMap<Core.Entities.UserProjectAccessPolicy, UserProjectAccessPolicy>().ReverseMap()
.ForMember(dst => dst.User, opt => opt.MapFrom(src => src.OrganizationUser.User));
CreateMap<Core.Entities.UserServiceAccountAccessPolicy, UserServiceAccountAccessPolicy>().ReverseMap()
.ForMember(dst => dst.User, opt => opt.MapFrom(src => src.OrganizationUser.User));
CreateMap<Core.Entities.GroupProjectAccessPolicy, GroupProjectAccessPolicy>().ReverseMap();
CreateMap<Core.Entities.GroupServiceAccountAccessPolicy, GroupServiceAccountAccessPolicy>().ReverseMap();
CreateMap<Core.Entities.ServiceAccountProjectAccessPolicy, ServiceAccountProjectAccessPolicy>().ReverseMap();
}
}

2
src/Infrastructure.EntityFramework/Models/ServiceAccount.cs
View File

@ -5,6 +5,8 @@ namespace Bit.Infrastructure.EntityFramework.Models;
public class ServiceAccount : Core.Entities.ServiceAccount
{
public virtual Organization Organization { get; set; }
public virtual ICollection<GroupServiceAccountAccessPolicy> GroupAccessPolicies { get; set; }
public virtual ICollection<UserServiceAccountAccessPolicy> UserAccessPolicies { get; set; }
}
public class ServiceAccountMapperProfile : Profile