[PM-3478] Refactor OrganizationUser api (#4752)

* Add OrganizationUserMiniDetails endpoint, models and authorization * Restrict access to current OrganizationUserUserDetails endpoint Both are behind feature flags
2025-07-01 08:02:49 -05:00 · 2024-10-01 07:14:16 +10:00
parent 7368e57b7b
commit c94a084c86
16 changed files with 514 additions and 211 deletions
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationScope.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationScope.cs
@ -0,0 +1,23 @@
+#nullable enable
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
+
+/// <summary>
+/// A typed wrapper for an organization Guid. This is used for authorization checks
+/// scoped to an organization's resources (e.g. all users for an organization).
+/// In these cases, AuthorizationService needs more than just a Guid, but we also don't want to fetch the
+/// Organization object from the database each time when it's usually not needed.
+/// This should not be used for operations on the organization itself.
+/// It implicitly converts to a regular Guid.
+/// </summary>
+public record OrganizationScope
+{
+    public OrganizationScope(Guid id)
+    {
+        Id = id;
+    }
+    private Guid Id { get; }
+    public static implicit operator Guid(OrganizationScope organizationScope) =>
+        organizationScope.Id;
+    public override string ToString() => Id.ToString();
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationUserUserDetailsAuthorizationHandler.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationUserUserDetailsAuthorizationHandler.cs
@ -0,0 +1,77 @@
+#nullable enable
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Services;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
+
+public class OrganizationUserUserDetailsAuthorizationHandler
+    : AuthorizationHandler<OrganizationUserUserDetailsOperationRequirement, OrganizationScope>
+{
+    private readonly ICurrentContext _currentContext;
+    private readonly IFeatureService _featureService;
+
+    public OrganizationUserUserDetailsAuthorizationHandler(ICurrentContext currentContext, IFeatureService featureService)
+    {
+        _currentContext = currentContext;
+        _featureService = featureService;
+    }
+
+    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
+        OrganizationUserUserDetailsOperationRequirement requirement, OrganizationScope organizationScope)
+    {
+        var authorized = false;
+
+        switch (requirement)
+        {
+            case not null when requirement.Name == nameof(OrganizationUserUserDetailsOperations.ReadAll):
+                authorized = await CanReadAllAsync(organizationScope);
+                break;
+        }
+
+        if (authorized)
+        {
+            context.Succeed(requirement!);
+        }
+    }
+
+    private async Task<bool> CanReadAllAsync(Guid organizationId)
+    {
+        if (_featureService.IsEnabled(FeatureFlagKeys.Pm3478RefactorOrganizationUserApi))
+        {
+            return await CanReadAllAsync_vNext(organizationId);
+        }
+
+        return await CanReadAllAsync_vCurrent(organizationId);
+    }
+
+    private async Task<bool> CanReadAllAsync_vCurrent(Guid organizationId)
+    {
+        // All users of an organization can read all other users of that organization for collection access management
+        var org = _currentContext.GetOrganization(organizationId);
+        if (org is not null)
+        {
+            return true;
+        }
+
+        // Allow provider users to read all organization users if they are a provider for the target organization
+        return await _currentContext.ProviderUserForOrgAsync(organizationId);
+    }
+
+    private async Task<bool> CanReadAllAsync_vNext(Guid organizationId)
+    {
+        // Admins can access this for general user management
+        var organization = _currentContext.GetOrganization(organizationId);
+        if (organization is
+        { Type: OrganizationUserType.Owner } or
+        { Type: OrganizationUserType.Admin } or
+        { Permissions.ManageUsers: true })
+        {
+            return true;
+        }
+
+        // Allow provider users to read all organization users if they are a provider for the target organization
+        return await _currentContext.ProviderUserForOrgAsync(organizationId);
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationUserUserDetailsOperations.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationUserUserDetailsOperations.cs
@ -0,0 +1,10 @@
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
+
+public class OrganizationUserUserDetailsOperationRequirement : OperationAuthorizationRequirement;
+
+public static class OrganizationUserUserDetailsOperations
+{
+    public static OrganizationUserUserDetailsOperationRequirement ReadAll = new() { Name = nameof(ReadAll) };
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationUserUserMiniDetailsAuthorizationHandler.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationUserUserMiniDetailsAuthorizationHandler.cs
@ -0,0 +1,51 @@
+using Bit.Core.Context;
+using Bit.Core.Services;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
+
+public class OrganizationUserUserMiniDetailsAuthorizationHandler :
+    AuthorizationHandler<OrganizationUserUserMiniDetailsOperationRequirement, OrganizationScope>
+{
+    private readonly IApplicationCacheService _applicationCacheService;
+    private readonly ICurrentContext _currentContext;
+
+    public OrganizationUserUserMiniDetailsAuthorizationHandler(
+        IApplicationCacheService applicationCacheService,
+        ICurrentContext currentContext)
+    {
+        _applicationCacheService = applicationCacheService;
+        _currentContext = currentContext;
+    }
+
+    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
+        OrganizationUserUserMiniDetailsOperationRequirement requirement, OrganizationScope organizationScope)
+    {
+        var authorized = false;
+
+        switch (requirement)
+        {
+            case not null when requirement.Name == nameof(OrganizationUserUserMiniDetailsOperations.ReadAll):
+                authorized = await CanReadAllAsync(organizationScope);
+                break;
+        }
+
+        if (authorized)
+        {
+            context.Succeed(requirement);
+        }
+    }
+
+    private async Task<bool> CanReadAllAsync(Guid organizationId)
+    {
+        // All organization users can access this data to manage collection access
+        var organization = _currentContext.GetOrganization(organizationId);
+        if (organization != null)
+        {
+            return true;
+        }
+
+        // Providers can also access this to manage the organization generally
+        return await _currentContext.ProviderUserForOrgAsync(organizationId);
+    }
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationUserUserMiniDetailsOperations.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationUserUserMiniDetailsOperations.cs
@ -0,0 +1,10 @@
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
+
+public class OrganizationUserUserMiniDetailsOperationRequirement : OperationAuthorizationRequirement;
+
+public static class OrganizationUserUserMiniDetailsOperations
+{
+    public static readonly OrganizationUserUserMiniDetailsOperationRequirement ReadAll = new() { Name = nameof(ReadAll) };
+}
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@ -143,6 +143,7 @@ public static class FeatureFlagKeys
    public const string EnableNewCardCombinedExpiryAutofill = "enable-new-card-combined-expiry-autofill";
    public const string StorageReseedRefactor = "storage-reseed-refactor";
    public const string TrialPayment = "PM-8163-trial-payment";
+    public const string Pm3478RefactorOrganizationUserApi = "pm-3478-refactor-organizationuser-api";

    public static List<string> GetAllKeys()
    {
--- a/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
+++ b/src/Core/OrganizationFeatures/OrganizationServiceCollectionExtensions.cs
@ -9,6 +9,7 @@ using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationConnections.Interfa
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationDomains.Interfaces;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
+using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
 using Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
 using Bit.Core.Models.Business.Tokenables;
 using Bit.Core.OrganizationFeatures.OrganizationCollections;
@ -28,6 +29,7 @@ using Bit.Core.Settings;
 using Bit.Core.Tokens;
 using Core.AdminConsole.OrganizationFeatures.OrganizationUsers;
 using Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.DataProtection;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
@ -141,6 +143,9 @@ public static class OrganizationServiceCollectionExtensions
        services.AddScoped<IAcceptOrgUserCommand, AcceptOrgUserCommand>();
        services.AddScoped<IOrganizationUserUserDetailsQuery, OrganizationUserUserDetailsQuery>();
        services.AddScoped<IGetOrganizationUsersManagementStatusQuery, GetOrganizationUsersManagementStatusQuery>();
+
+        services.AddScoped<IAuthorizationHandler, OrganizationUserUserMiniDetailsAuthorizationHandler>();
+        services.AddScoped<IAuthorizationHandler, OrganizationUserUserDetailsAuthorizationHandler>();
    }

    // TODO: move to OrganizationSubscriptionServiceCollectionExtensions when OrganizationUser methods are moved out of