[PM-3478] Refactor OrganizationUser api (#4752)

* Add OrganizationUserMiniDetails endpoint, models and authorization * Restrict access to current OrganizationUserUserDetails endpoint Both are behind feature flags
2025-07-02 16:42:50 -05:00 · 2024-10-01 07:14:16 +10:00
parent 7368e57b7b
commit c94a084c86
16 changed files with 514 additions and 211 deletions
--- a/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
+++ b/src/Api/AdminConsole/Controllers/OrganizationUsersController.cs
@ -3,10 +3,10 @@ using Bit.Api.AdminConsole.Models.Response.Organizations;
 using Bit.Api.Models.Request.Organizations;
 using Bit.Api.Models.Response;
 using Bit.Api.Vault.AuthorizationHandlers.Collections;
-using Bit.Api.Vault.AuthorizationHandlers.OrganizationUsers;
 using Bit.Core;
 using Bit.Core.AdminConsole.Enums;
 using Bit.Core.AdminConsole.Models.Data.Organizations.Policies;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Auth.Enums;
@ -44,7 +44,6 @@ public class OrganizationUsersController : Controller
    private readonly ICountNewSmSeatsRequiredQuery _countNewSmSeatsRequiredQuery;
    private readonly IUpdateSecretsManagerSubscriptionCommand _updateSecretsManagerSubscriptionCommand;
    private readonly IUpdateOrganizationUserCommand _updateOrganizationUserCommand;
-    private readonly IUpdateOrganizationUserGroupsCommand _updateOrganizationUserGroupsCommand;
    private readonly IAcceptOrgUserCommand _acceptOrgUserCommand;
    private readonly IAuthorizationService _authorizationService;
    private readonly IApplicationCacheService _applicationCacheService;
@ -66,7 +65,6 @@ public class OrganizationUsersController : Controller
        ICountNewSmSeatsRequiredQuery countNewSmSeatsRequiredQuery,
        IUpdateSecretsManagerSubscriptionCommand updateSecretsManagerSubscriptionCommand,
        IUpdateOrganizationUserCommand updateOrganizationUserCommand,
-        IUpdateOrganizationUserGroupsCommand updateOrganizationUserGroupsCommand,
        IAcceptOrgUserCommand acceptOrgUserCommand,
        IAuthorizationService authorizationService,
        IApplicationCacheService applicationCacheService,
@ -86,7 +84,6 @@ public class OrganizationUsersController : Controller
        _countNewSmSeatsRequiredQuery = countNewSmSeatsRequiredQuery;
        _updateSecretsManagerSubscriptionCommand = updateSecretsManagerSubscriptionCommand;
        _updateOrganizationUserCommand = updateOrganizationUserCommand;
-        _updateOrganizationUserGroupsCommand = updateOrganizationUserGroupsCommand;
        _acceptOrgUserCommand = acceptOrgUserCommand;
        _authorizationService = authorizationService;
        _applicationCacheService = applicationCacheService;
@ -115,11 +112,27 @@ public class OrganizationUsersController : Controller
        return response;
    }

+    [HttpGet("mini-details")]
+    [RequireFeature(FeatureFlagKeys.Pm3478RefactorOrganizationUserApi)]
+    public async Task<ListResponseModel<OrganizationUserUserMiniDetailsResponseModel>> GetMiniDetails(Guid orgId)
+    {
+        var authorizationResult = await _authorizationService.AuthorizeAsync(User, new OrganizationScope(orgId),
+            OrganizationUserUserMiniDetailsOperations.ReadAll);
+        if (!authorizationResult.Succeeded)
+        {
+            throw new NotFoundException();
+        }
+
+        var organizationUserUserDetails = await _organizationUserRepository.GetManyDetailsByOrganizationAsync(orgId);
+        return new ListResponseModel<OrganizationUserUserMiniDetailsResponseModel>(
+            organizationUserUserDetails.Select(ou => new OrganizationUserUserMiniDetailsResponseModel(ou)));
+    }
+
    [HttpGet("")]
    public async Task<ListResponseModel<OrganizationUserUserDetailsResponseModel>> Get(Guid orgId, bool includeGroups = false, bool includeCollections = false)
    {
        var authorized = (await _authorizationService.AuthorizeAsync(
-            User, OrganizationUserOperations.ReadAll(orgId))).Succeeded;
+            User, new OrganizationScope(orgId), OrganizationUserUserDetailsOperations.ReadAll)).Succeeded;
        if (!authorized)
        {
            throw new NotFoundException();
--- a/src/Api/AdminConsole/Models/Response/Organizations/OrganizationUserResponseModel.cs
+++ b/src/Api/AdminConsole/Models/Response/Organizations/OrganizationUserResponseModel.cs
@ -84,6 +84,29 @@ public class OrganizationUserDetailsResponseModel : OrganizationUserResponseMode
    public IEnumerable<Guid> Groups { get; set; }
 }

+#nullable enable
+public class OrganizationUserUserMiniDetailsResponseModel : ResponseModel
+{
+    public OrganizationUserUserMiniDetailsResponseModel(OrganizationUserUserDetails organizationUser)
+        : base("organizationUserUserMiniDetails")
+    {
+        Id = organizationUser.Id;
+        UserId = organizationUser.UserId;
+        Type = organizationUser.Type;
+        Status = organizationUser.Status;
+        Name = organizationUser.Name;
+        Email = organizationUser.Email;
+    }
+
+    public Guid Id { get; }
+    public Guid? UserId { get; }
+    public OrganizationUserType Type { get; }
+    public OrganizationUserStatusType Status { get; }
+    public string? Name { get; }
+    public string Email { get; }
+}
+#nullable disable
+
 public class OrganizationUserUserDetailsResponseModel : OrganizationUserResponseModel
 {
    public OrganizationUserUserDetailsResponseModel(OrganizationUserUserDetails organizationUser,
--- a/src/Api/Utilities/ServiceCollectionExtensions.cs
+++ b/src/Api/Utilities/ServiceCollectionExtensions.cs
@ -1,6 +1,5 @@
 using Bit.Api.Vault.AuthorizationHandlers.Collections;
 using Bit.Api.Vault.AuthorizationHandlers.Groups;
-using Bit.Api.Vault.AuthorizationHandlers.OrganizationUsers;
 using Bit.Core.IdentityServer;
 using Bit.Core.Settings;
 using Bit.Core.Utilities;
@ -100,6 +99,5 @@ public static class ServiceCollectionExtensions
        services.AddScoped<IAuthorizationHandler, BulkCollectionAuthorizationHandler>();
        services.AddScoped<IAuthorizationHandler, CollectionAuthorizationHandler>();
        services.AddScoped<IAuthorizationHandler, GroupAuthorizationHandler>();
-        services.AddScoped<IAuthorizationHandler, OrganizationUserAuthorizationHandler>();
    }
 }
--- a/src/Api/Vault/AuthorizationHandlers/OrganizationUsers/OrganizationUserAuthorizationHandler.cs
+++ b/src/Api/Vault/AuthorizationHandlers/OrganizationUsers/OrganizationUserAuthorizationHandler.cs
@ -1,60 +0,0 @@
-#nullable enable
-using Bit.Core.Context;
-using Microsoft.AspNetCore.Authorization;
-
-namespace Bit.Api.Vault.AuthorizationHandlers.OrganizationUsers;
-
-/// <summary>
-/// Handles authorization logic for OrganizationUser objects.
-/// This uses new logic implemented in the Flexible Collections initiative.
-/// </summary>
-public class OrganizationUserAuthorizationHandler : AuthorizationHandler<OrganizationUserOperationRequirement>
-{
-    private readonly ICurrentContext _currentContext;
-
-    public OrganizationUserAuthorizationHandler(ICurrentContext currentContext)
-    {
-        _currentContext = currentContext;
-    }
-
-    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
-        OrganizationUserOperationRequirement requirement)
-    {
-        if (!_currentContext.UserId.HasValue)
-        {
-            context.Fail();
-            return;
-        }
-
-        if (requirement.OrganizationId == default)
-        {
-            context.Fail();
-            return;
-        }
-
-        var org = _currentContext.GetOrganization(requirement.OrganizationId);
-
-        switch (requirement)
-        {
-            case not null when requirement.Name == nameof(OrganizationUserOperations.ReadAll):
-                await CanReadAllAsync(context, requirement, org);
-                break;
-        }
-    }
-
-    private async Task CanReadAllAsync(AuthorizationHandlerContext context, OrganizationUserOperationRequirement requirement,
-        CurrentContextOrganization? org)
-    {
-        // All users of an organization can read all other users of that organization for collection access management
-        if (org is not null)
-        {
-            context.Succeed(requirement);
-        }
-
-        // Allow provider users to read all organization users if they are a provider for the target organization
-        if (await _currentContext.ProviderUserForOrgAsync(requirement.OrganizationId))
-        {
-            context.Succeed(requirement);
-        }
-    }
-}
--- a/src/Api/Vault/AuthorizationHandlers/OrganizationUsers/OrganizationUserOperations.cs
+++ b/src/Api/Vault/AuthorizationHandlers/OrganizationUsers/OrganizationUserOperations.cs
@ -1,22 +0,0 @@
-using Microsoft.AspNetCore.Authorization.Infrastructure;
-
-namespace Bit.Api.Vault.AuthorizationHandlers.OrganizationUsers;
-
-public class OrganizationUserOperationRequirement : OperationAuthorizationRequirement
-{
-    public Guid OrganizationId { get; }
-
-    public OrganizationUserOperationRequirement(string name, Guid organizationId)
-    {
-        Name = name;
-        OrganizationId = organizationId;
-    }
-}
-
-public static class OrganizationUserOperations
-{
-    public static OrganizationUserOperationRequirement ReadAll(Guid organizationId)
-    {
-        return new OrganizationUserOperationRequirement(nameof(ReadAll), organizationId);
-    }
-}