[PM-3478] Refactor OrganizationUser api (#4752)

* Add OrganizationUserMiniDetails endpoint, models and authorization * Restrict access to current OrganizationUserUserDetails endpoint Both are behind feature flags
2025-06-30 23:52:50 -05:00 · 2024-10-01 07:14:16 +10:00
parent 7368e57b7b
commit c94a084c86
16 changed files with 514 additions and 211 deletions
--- a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
@ -3,10 +3,10 @@ using Bit.Api.AdminConsole.Models.Response.Organizations;
 using Bit.Api.Models.Request.Organizations;
 using Bit.Api.Models.Response;
 using Bit.Api.Vault.AuthorizationHandlers.Collections;
-using Bit.Api.Vault.AuthorizationHandlers.OrganizationUsers;
 using Bit.Core;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Auth.Enums;
@ -44,7 +44,6 @@ public class OrganizationUsersController : Controller
    private readonly ICountNewSmSeatsRequiredQuery _countNewSmSeatsRequiredQuery;
    private readonly IUpdateSecretsManagerSubscriptionCommand _updateSecretsManagerSubscriptionCommand;
    private readonly IUpdateOrganizationUserCommand _updateOrganizationUserCommand;
-    private readonly IUpdateOrganizationUserGroupsCommand _updateOrganizationUserGroupsCommand;
    private readonly IAcceptOrgUserCommand _acceptOrgUserCommand;
    private readonly IAuthorizationService _authorizationService;
    private readonly IApplicationCacheService _applicationCacheService;
@ -66,7 +65,6 @@ public class OrganizationUsersController : Controller
        ICountNewSmSeatsRequiredQuery countNewSmSeatsRequiredQuery,
        IUpdateSecretsManagerSubscriptionCommand updateSecretsManagerSubscriptionCommand,
        IUpdateOrganizationUserCommand updateOrganizationUserCommand,
-        IUpdateOrganizationUserGroupsCommand updateOrganizationUserGroupsCommand,
        IAcceptOrgUserCommand acceptOrgUserCommand,
        IAuthorizationService authorizationService,
        IApplicationCacheService applicationCacheService,
@ -86,7 +84,6 @@ public class OrganizationUsersController : Controller
        _countNewSmSeatsRequiredQuery = countNewSmSeatsRequiredQuery;
        _updateSecretsManagerSubscriptionCommand = updateSecretsManagerSubscriptionCommand;
        _updateOrganizationUserCommand = updateOrganizationUserCommand;
-        _updateOrganizationUserGroupsCommand = updateOrganizationUserGroupsCommand;
        _acceptOrgUserCommand = acceptOrgUserCommand;
        _authorizationService = authorizationService;
        _applicationCacheService = applicationCacheService;
@ -115,11 +112,27 @@ public class OrganizationUsersController : Controller
        return response;
    }

+    [HttpGet("mini-details")]
+    [RequireFeature(FeatureFlagKeys.Pm3478RefactorOrganizationUserApi)]
+    public async Task<ListResponseModel<OrganizationUserUserMiniDetailsResponseModel>> GetMiniDetails(Guid orgId)
+    {
+        var authorizationResult = await _authorizationService.AuthorizeAsync(User, new OrganizationScope(orgId),
+            OrganizationUserUserMiniDetailsOperations.ReadAll);
+        if (!authorizationResult.Succeeded)
+        {
+            throw new NotFoundException();
+        }
+
+        var organizationUserUserDetails = await _organizationUserRepository.GetManyDetailsByOrganizationAsync(orgId);
+        return new ListResponseModel<OrganizationUserUserMiniDetailsResponseModel>(
+            organizationUserUserDetails.Select(ou => new OrganizationUserUserMiniDetailsResponseModel(ou)));
+    }
+
    [HttpGet("")]
    public async Task<ListResponseModel<OrganizationUserUserDetailsResponseModel>> Get(Guid orgId, bool includeGroups = false, bool includeCollections = false)
    {
        var authorized = (await _authorizationService.AuthorizeAsync(
-            User, OrganizationUserOperations.ReadAll(orgId))).Succeeded;
+            User, new OrganizationScope(orgId), OrganizationUserUserDetailsOperations.ReadAll)).Succeeded;
        if (!authorized)
        {
            throw new NotFoundException();
--- a/src/Api/AdminConsole/Models/Response/Organizations/OrganizationUserResponseModel.cs
+++ b/src/Api/AdminConsole/Models/Response/Organizations/OrganizationUserResponseModel.cs
@ -84,6 +84,29 @@ public class OrganizationUserDetailsResponseModel : OrganizationUserResponseMode
    public IEnumerable<Guid> Groups { get; set; }
 }

+#nullable enable
+public class OrganizationUserUserMiniDetailsResponseModel : ResponseModel
+{
+    public OrganizationUserUserMiniDetailsResponseModel(OrganizationUserUserDetails organizationUser)
+        : base("organizationUserUserMiniDetails")
+    {
+        Id = organizationUser.Id;
+        UserId = organizationUser.UserId;
+        Type = organizationUser.Type;
+        Status = organizationUser.Status;
+        Name = organizationUser.Name;
+        Email = organizationUser.Email;
+    }
+
+    public Guid Id { get; }
+    public Guid? UserId { get; }
+    public OrganizationUserType Type { get; }
+    public OrganizationUserStatusType Status { get; }
+    public string? Name { get; }
+    public string Email { get; }
+}
+#nullable disable
+
 public class OrganizationUserUserDetailsResponseModel : OrganizationUserResponseModel
 {
    public OrganizationUserUserDetailsResponseModel(OrganizationUserUserDetails organizationUser,
--- a/src/Api/Utilities/ServiceCollectionExtensions.cs
+++ b/src/Api/Utilities/ServiceCollectionExtensions.cs
@ -1,6 +1,5 @@
 using Bit.Api.Vault.AuthorizationHandlers.Collections;
 using Bit.Api.Vault.AuthorizationHandlers.Groups;
-using Bit.Api.Vault.AuthorizationHandlers.OrganizationUsers;
 using Bit.Core.IdentityServer;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
@ -100,6 +99,5 @@ public static class ServiceCollectionExtensions
        services.AddScoped<IAuthorizationHandler, BulkCollectionAuthorizationHandler>();
        services.AddScoped<IAuthorizationHandler, CollectionAuthorizationHandler>();
        services.AddScoped<IAuthorizationHandler, GroupAuthorizationHandler>();
-        services.AddScoped<IAuthorizationHandler, OrganizationUserAuthorizationHandler>();
    }
 }
--- a/src/Api/Vault/AuthorizationHandlers/OrganizationUsers/OrganizationUserAuthorizationHandler.cs
+++ b/src/Api/Vault/AuthorizationHandlers/OrganizationUsers/OrganizationUserAuthorizationHandler.cs
@ -1,60 +0,0 @@
-#nullable enable
-using Bit.Core.Context;
-using Microsoft.AspNetCore.Authorization;
-
-namespace Bit.Api.Vault.AuthorizationHandlers.OrganizationUsers;
-
-/// <summary>
-/// Handles authorization logic for OrganizationUser objects.
-/// This uses new logic implemented in the Flexible Collections initiative.
-/// </summary>
-public class OrganizationUserAuthorizationHandler : AuthorizationHandler<OrganizationUserOperationRequirement>
-{
-    private readonly ICurrentContext _currentContext;
-
-    public OrganizationUserAuthorizationHandler(ICurrentContext currentContext)
-    {
-        _currentContext = currentContext;
-    }
-
-    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
-        OrganizationUserOperationRequirement requirement)
-    {
-        if (!_currentContext.UserId.HasValue)
-        {
-            context.Fail();
-            return;
-        }
-
-        if (requirement.OrganizationId == default)
-        {
-            context.Fail();
-            return;
-        }
-
-        var org = _currentContext.GetOrganization(requirement.OrganizationId);
-
-        switch (requirement)
-        {
-            case not null when requirement.Name == nameof(OrganizationUserOperations.ReadAll):
-                await CanReadAllAsync(context, requirement, org);
-                break;
-        }
-    }
-
-    private async Task CanReadAllAsync(AuthorizationHandlerContext context, OrganizationUserOperationRequirement requirement,
-        CurrentContextOrganization? org)
-    {
-        // All users of an organization can read all other users of that organization for collection access management
-        if (org is not null)
-        {
-            context.Succeed(requirement);
-        }
-
-        // Allow provider users to read all organization users if they are a provider for the target organization
-        if (await _currentContext.ProviderUserForOrgAsync(requirement.OrganizationId))
-        {
-            context.Succeed(requirement);
-        }
-    }
-}
--- a/src/Api/Vault/AuthorizationHandlers/OrganizationUsers/OrganizationUserOperations.cs
+++ b/src/Api/Vault/AuthorizationHandlers/OrganizationUsers/OrganizationUserOperations.cs
@ -1,22 +0,0 @@
-using Microsoft.AspNetCore.Authorization.Infrastructure;
-
-namespace Bit.Api.Vault.AuthorizationHandlers.OrganizationUsers;
-
-public class OrganizationUserOperationRequirement : OperationAuthorizationRequirement
-{
-    public Guid OrganizationId { get; }
-
-    public OrganizationUserOperationRequirement(string name, Guid organizationId)
-    {
-        Name = name;
-        OrganizationId = organizationId;
-    }
-}
-
-public static class OrganizationUserOperations
-{
-    public static OrganizationUserOperationRequirement ReadAll(Guid organizationId)
-    {
-        return new OrganizationUserOperationRequirement(nameof(ReadAll), organizationId);
-    }
-}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationScope.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationScope.cs
@ -0,0 +1,23 @@
+#nullable enable
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
+
+/// <summary>
+/// A typed wrapper for an organization Guid. This is used for authorization checks
+/// scoped to an organization's resources (e.g. all users for an organization).
+/// In these cases, AuthorizationService needs more than just a Guid, but we also don't want to fetch the
+/// Organization object from the database each time when it's usually not needed.
+/// This should not be used for operations on the organization itself.
+/// It implicitly converts to a regular Guid.
+/// </summary>
+public record OrganizationScope
+{
+    public OrganizationScope(Guid id)
+    {
+        Id = id;
+    }
+    private Guid Id { get; }
+    public static implicit operator Guid(OrganizationScope organizationScope) =>
+        organizationScope.Id;
+    public override string ToString() => Id.ToString();
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationUserUserDetailsAuthorizationHandler.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationUserUserDetailsAuthorizationHandler.cs
@ -0,0 +1,77 @@
+#nullable enable
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Services;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
+
+public class OrganizationUserUserDetailsAuthorizationHandler
+    : AuthorizationHandler<OrganizationUserUserDetailsOperationRequirement, OrganizationScope>
+{
+    private readonly ICurrentContext _currentContext;
+    private readonly IFeatureService _featureService;
+
+    public OrganizationUserUserDetailsAuthorizationHandler(ICurrentContext currentContext, IFeatureService featureService)
+    {
+        _currentContext = currentContext;
+        _featureService = featureService;
+    }
+
+    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
+        OrganizationUserUserDetailsOperationRequirement requirement, OrganizationScope organizationScope)
+    {
+        var authorized = false;
+
+        switch (requirement)
+        {
+            case not null when requirement.Name == nameof(OrganizationUserUserDetailsOperations.ReadAll):
+                authorized = await CanReadAllAsync(organizationScope);
+                break;
+        }
+
+        if (authorized)
+        {
+            context.Succeed(requirement!);
+        }
+    }
+
+    private async Task<bool> CanReadAllAsync(Guid organizationId)
+    {
+        if (_featureService.IsEnabled(FeatureFlagKeys.Pm3478RefactorOrganizationUserApi))
+        {
+            return await CanReadAllAsync_vNext(organizationId);
+        }
+
+        return await CanReadAllAsync_vCurrent(organizationId);
+    }
+
+    private async Task<bool> CanReadAllAsync_vCurrent(Guid organizationId)
+    {
+        // All users of an organization can read all other users of that organization for collection access management
+        var org = _currentContext.GetOrganization(organizationId);
+        if (org is not null)
+        {
+            return true;
+        }
+
+        // Allow provider users to read all organization users if they are a provider for the target organization
+        return await _currentContext.ProviderUserForOrgAsync(organizationId);
+    }
+
+    private async Task<bool> CanReadAllAsync_vNext(Guid organizationId)
+    {
+        // Admins can access this for general user management
+        var organization = _currentContext.GetOrganization(organizationId);
+        if (organization is
+        { Type: OrganizationUserType.Owner } or
+        { Type: OrganizationUserType.Admin } or
+        { Permissions.ManageUsers: true })
+        {
+            return true;
+        }
+
+        // Allow provider users to read all organization users if they are a provider for the target organization
+        return await _currentContext.ProviderUserForOrgAsync(organizationId);
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationUserUserDetailsOperations.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationUserUserDetailsOperations.cs
@ -0,0 +1,10 @@
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
+
+public class OrganizationUserUserDetailsOperationRequirement : OperationAuthorizationRequirement;
+
+public static class OrganizationUserUserDetailsOperations
+{
+    public static OrganizationUserUserDetailsOperationRequirement ReadAll = new() { Name = nameof(ReadAll) };
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationUserUserMiniDetailsAuthorizationHandler.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationUserUserMiniDetailsAuthorizationHandler.cs
@ -0,0 +1,51 @@
+using Bit.Core.Context;
+using Bit.Core.Services;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
+
+public class OrganizationUserUserMiniDetailsAuthorizationHandler :
+    AuthorizationHandler<OrganizationUserUserMiniDetailsOperationRequirement, OrganizationScope>
+{
+    private readonly IApplicationCacheService _applicationCacheService;
+    private readonly ICurrentContext _currentContext;
+
+    public OrganizationUserUserMiniDetailsAuthorizationHandler(
+        IApplicationCacheService applicationCacheService,
+        ICurrentContext currentContext)
+    {
+        _applicationCacheService = applicationCacheService;
+        _currentContext = currentContext;
+    }
+
+    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
+        OrganizationUserUserMiniDetailsOperationRequirement requirement, OrganizationScope organizationScope)
+    {
+        var authorized = false;
+
+        switch (requirement)
+        {
+            case not null when requirement.Name == nameof(OrganizationUserUserMiniDetailsOperations.ReadAll):
+                authorized = await CanReadAllAsync(organizationScope);
+                break;
+        }
+
+        if (authorized)
+        {
+            context.Succeed(requirement);
+        }
+    }
+
+    private async Task<bool> CanReadAllAsync(Guid organizationId)
+    {
+        // All organization users can access this data to manage collection access
+        var organization = _currentContext.GetOrganization(organizationId);
+        if (organization != null)
+        {
+            return true;
+        }
+
+        // Providers can also access this to manage the organization generally
+        return await _currentContext.ProviderUserForOrgAsync(organizationId);
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationUserUserMiniDetailsOperations.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationUserUserMiniDetailsOperations.cs
@ -0,0 +1,10 @@
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
+
+public class OrganizationUserUserMiniDetailsOperationRequirement : OperationAuthorizationRequirement;
+
+public static class OrganizationUserUserMiniDetailsOperations
+{
+    public static readonly OrganizationUserUserMiniDetailsOperationRequirement ReadAll = new() { Name = nameof(ReadAll) };
+}
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@ -143,6 +143,7 @@ public static class FeatureFlagKeys
    public const string EnableNewCardCombinedExpiryAutofill = "enable-new-card-combined-expiry-autofill";
    public const string StorageReseedRefactor = "storage-reseed-refactor";
    public const string TrialPayment = "PM-8163-trial-payment";
+    public const string Pm3478RefactorOrganizationUserApi = "pm-3478-refactor-organizationuser-api";

    public static List<string> GetAllKeys()
    {
--- a/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
+++ b/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
@ -9,6 +9,7 @@ using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationConnections.Interfa
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.Models.Business.Tokenables;
 using Bit.Core.OrganizationFeatures.OrganizationCollections;
@ -28,6 +29,7 @@ using Bit.Core.Settings;
 using Bit.Core.Tokens;
 using Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
 using Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
@ -141,6 +143,9 @@ public static class OrganizationServiceCollectionExtensions
        services.AddScoped<IAcceptOrgUserCommand, AcceptOrgUserCommand>();
        services.AddScoped<IOrganizationUserUserDetailsQuery, OrganizationUserUserDetailsQuery>();
        services.AddScoped<IGetOrganizationUsersManagementStatusQuery, GetOrganizationUsersManagementStatusQuery>();
+
+        services.AddScoped<IAuthorizationHandler, OrganizationUserUserMiniDetailsAuthorizationHandler>();
+        services.AddScoped<IAuthorizationHandler, OrganizationUserUserDetailsAuthorizationHandler>();
    }

    // TODO: move to OrganizationSubscriptionServiceCollectionExtensions when OrganizationUser methods are moved out of