nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-05-20 19:14:32 -05:00
Code

[AC-2068] Allows Users to read all users/groups when Flexible Collections is enabled (#3720)

Browse Source 
* [AC-2068] Allow any member of an org to read all users for that organization with flexible collections

* [AC-2068] Allow any member of an org to read all groups for that organization with flexible collections

* [AC-2068] Formatting
This commit is contained in:
Shane Melton 2024-01-30 09:53:56 -08:00 committed by GitHub
parent 7180a6618e
commit ca2915494d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 12 additions and 270 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
src/Api/Vault/AuthorizationHandlers/Groups/GroupAuthorizationHandler.cs
View File

@ -1,8 +1,5 @@
#nullable enable #nullable enable
using Bit.Core.Context; using Bit.Core.Context;
using Bit.Core.Enums;
using Bit.Core.Models.Data.Organizations;
using Bit.Core.Services;
using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Authorization;
namespace Bit.Api.Vault.AuthorizationHandlers.Groups; namespace Bit.Api.Vault.AuthorizationHandlers.Groups;
@ -14,17 +11,10 @@ namespace Bit.Api.Vault.AuthorizationHandlers.Groups;
public class GroupAuthorizationHandler : AuthorizationHandler<GroupOperationRequirement> public class GroupAuthorizationHandler : AuthorizationHandler<GroupOperationRequirement>
{ {
private readonly ICurrentContext _currentContext; private readonly ICurrentContext _currentContext;
private readonly IFeatureService _featureService;
private readonly IApplicationCacheService _applicationCacheService;
public GroupAuthorizationHandler( public GroupAuthorizationHandler(ICurrentContext currentContext)
ICurrentContext currentContext,
IFeatureService featureService,
IApplicationCacheService applicationCacheService)
{ {
_currentContext = currentContext; _currentContext = currentContext;
_featureService = featureService;
_applicationCacheService = applicationCacheService;
} }
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
@ -56,22 +46,8 @@ public class GroupAuthorizationHandler : AuthorizationHandler<GroupOperationRequ
private async Task CanReadAllAsync(AuthorizationHandlerContext context, GroupOperationRequirement requirement, private async Task CanReadAllAsync(AuthorizationHandlerContext context, GroupOperationRequirement requirement,
CurrentContextOrganization? org) CurrentContextOrganization? org)
{ {
// Owners, Admins, and users with any of ManageGroups, ManageUsers, EditAnyCollection, DeleteAnyCollection, CreateNewCollections permissions can always read all groups // All users of an organization can read all groups belonging to the organization for collection access management
if (org is if (org is not null)
{ Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
{ Permissions.ManageGroups: true } or
{ Permissions.ManageUsers: true } or
{ Permissions.EditAnyCollection: true } or
{ Permissions.DeleteAnyCollection: true } or
{ Permissions.CreateNewCollections: true })
{
context.Succeed(requirement);
return;
}
// Check for non-null org here: the user must be apart of the organization for this setting to take affect
// If the limit collection management setting is disabled, allow any user to read all groups
if (await GetOrganizationAbilityAsync(org) is { LimitCollectionCreationDeletion: false })
{ {
context.Succeed(requirement); context.Succeed(requirement);
return; return;
@ -83,16 +59,4 @@ public class GroupAuthorizationHandler : AuthorizationHandler<GroupOperationRequ
context.Succeed(requirement); context.Succeed(requirement);
} }
} }
private async Task<OrganizationAbility?> GetOrganizationAbilityAsync(CurrentContextOrganization? organization)
{
// If the CurrentContextOrganization is null, then the user isn't a member of the org so the setting is
// irrelevant
if (organization == null)
{
return null;
}
return await _applicationCacheService.GetOrganizationAbilityAsync(organization.Id);
}
} }

44
src/Api/Vault/AuthorizationHandlers/OrganizationUsers/OrganizationUserAuthorizationHandler.cs
View File

@ -1,8 +1,5 @@
#nullable enable #nullable enable
using Bit.Core.Context; using Bit.Core.Context;
using Bit.Core.Enums;
using Bit.Core.Models.Data.Organizations;
using Bit.Core.Services;
using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Authorization;
namespace Bit.Api.Vault.AuthorizationHandlers.OrganizationUsers; namespace Bit.Api.Vault.AuthorizationHandlers.OrganizationUsers;
@ -14,17 +11,10 @@ namespace Bit.Api.Vault.AuthorizationHandlers.OrganizationUsers;
public class OrganizationUserAuthorizationHandler : AuthorizationHandler<OrganizationUserOperationRequirement> public class OrganizationUserAuthorizationHandler : AuthorizationHandler<OrganizationUserOperationRequirement>
{ {
private readonly ICurrentContext _currentContext; private readonly ICurrentContext _currentContext;
private readonly IFeatureService _featureService;
private readonly IApplicationCacheService _applicationCacheService;
public OrganizationUserAuthorizationHandler( public OrganizationUserAuthorizationHandler(ICurrentContext currentContext)
ICurrentContext currentContext,
IFeatureService featureService,
IApplicationCacheService applicationCacheService)
{ {
_currentContext = currentContext; _currentContext = currentContext;
_featureService = featureService;
_applicationCacheService = applicationCacheService;
} }
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
@ -55,26 +45,10 @@ public class OrganizationUserAuthorizationHandler : AuthorizationHandler<Organiz
private async Task CanReadAllAsync(AuthorizationHandlerContext context, OrganizationUserOperationRequirement requirement, private async Task CanReadAllAsync(AuthorizationHandlerContext context, OrganizationUserOperationRequirement requirement,
CurrentContextOrganization? org) CurrentContextOrganization? org)
{ {
// If the limit collection management setting is disabled, allow any user to read all organization users // All users of an organization can read all other users of that organization for collection access management
// Otherwise, Owners, Admins, and users with any of ManageGroups, ManageUsers, EditAnyCollection, DeleteAnyCollection, CreateNewCollections permissions can always read all organization users if (org is not null)
if (org is
{ Type: OrganizationUserType.Owner or OrganizationUserType.Admin } or
{ Permissions.ManageGroups: true } or
{ Permissions.ManageUsers: true } or
{ Permissions.EditAnyCollection: true } or
{ Permissions.DeleteAnyCollection: true } or
{ Permissions.CreateNewCollections: true })
{ {
context.Succeed(requirement); context.Succeed(requirement);
return;
}
// Check for non-null org here: the user must be apart of the organization for this setting to take affect
// If the limit collection management setting is disabled, allow any user to read all organization users
if (await GetOrganizationAbilityAsync(org) is { LimitCollectionCreationDeletion: false })
{
context.Succeed(requirement);
return;
} }
// Allow provider users to read all organization users if they are a provider for the target organization // Allow provider users to read all organization users if they are a provider for the target organization
@ -83,16 +57,4 @@ public class OrganizationUserAuthorizationHandler : AuthorizationHandler<Organiz
context.Succeed(requirement); context.Succeed(requirement);
} }
} }
private async Task<OrganizationAbility?> GetOrganizationAbilityAsync(CurrentContextOrganization? organization)
{
// If the CurrentContextOrganization is null, then the user isn't a member of the org so the setting is
// irrelevant
if (organization == null)
{
return null;
}
return await _applicationCacheService.GetOrganizationAbilityAsync(organization.Id);
}
} }

98
test/Api.Test/Vault/AuthorizationHandlers/GroupAuthorizationHandlerTests.cs
View File

@ -3,8 +3,6 @@ using Bit.Api.Vault.AuthorizationHandlers.Groups;
using Bit.Core.Context; using Bit.Core.Context;
using Bit.Core.Enums; using Bit.Core.Enums;
using Bit.Core.Models.Data; using Bit.Core.Models.Data;
using Bit.Core.Models.Data.Organizations;
using Bit.Core.Services;
using Bit.Test.Common.AutoFixture; using Bit.Test.Common.AutoFixture;
using Bit.Test.Common.AutoFixture.Attributes; using Bit.Test.Common.AutoFixture.Attributes;
using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Authorization;
@ -19,7 +17,9 @@ public class GroupAuthorizationHandlerTests
[Theory] [Theory]
[BitAutoData(OrganizationUserType.Admin)] [BitAutoData(OrganizationUserType.Admin)]
[BitAutoData(OrganizationUserType.Owner)] [BitAutoData(OrganizationUserType.Owner)]
public async Task CanReadAllAsync_WhenAdminOrOwner_Success( [BitAutoData(OrganizationUserType.User)]
[BitAutoData(OrganizationUserType.Custom)]
public async Task CanReadAllAsync_WhenMemberOfOrg_Success(
OrganizationUserType userType, OrganizationUserType userType,
Guid userId, SutProvider<GroupAuthorizationHandler> sutProvider, Guid userId, SutProvider<GroupAuthorizationHandler> sutProvider,
CurrentContextOrganization organization) CurrentContextOrganization organization)
@ -27,8 +27,6 @@ public class GroupAuthorizationHandlerTests
organization.Type = userType; organization.Type = userType;
organization.Permissions = new Permissions(); organization.Permissions = new Permissions();
ArrangeOrganizationAbility(sutProvider, organization, true);
var context = new AuthorizationHandlerContext( var context = new AuthorizationHandlerContext(
new[] { GroupOperations.ReadAll(organization.Id) }, new[] { GroupOperations.ReadAll(organization.Id) },
new ClaimsPrincipal(), new ClaimsPrincipal(),
@ -50,8 +48,6 @@ public class GroupAuthorizationHandlerTests
organization.Type = OrganizationUserType.User; organization.Type = OrganizationUserType.User;
organization.Permissions = new Permissions(); organization.Permissions = new Permissions();
ArrangeOrganizationAbility(sutProvider, organization, true);
var context = new AuthorizationHandlerContext( var context = new AuthorizationHandlerContext(
new[] { GroupOperations.ReadAll(organization.Id) }, new[] { GroupOperations.ReadAll(organization.Id) },
new ClaimsPrincipal(), new ClaimsPrincipal(),
@ -69,87 +65,12 @@ public class GroupAuthorizationHandlerTests
Assert.True(context.HasSucceeded); Assert.True(context.HasSucceeded);
} }
[Theory]
[BitAutoData(true, false, false, false, true)]
[BitAutoData(false, true, false, false, true)]
[BitAutoData(false, false, true, false, true)]
[BitAutoData(false, false, false, true, true)]
[BitAutoData(false, false, false, false, false)]
public async Task CanReadAllAsync_WhenCustomUserWithRequiredPermissions_Success(
bool editAnyCollection, bool deleteAnyCollection, bool manageGroups,
bool manageUsers, bool limitCollectionCreationDeletion,
SutProvider<GroupAuthorizationHandler> sutProvider,
CurrentContextOrganization organization)
{
var actingUserId = Guid.NewGuid();
organization.Type = OrganizationUserType.Custom;
organization.Permissions = new Permissions
{
EditAnyCollection = editAnyCollection,
DeleteAnyCollection = deleteAnyCollection,
ManageGroups = manageGroups,
ManageUsers = manageUsers
};
ArrangeOrganizationAbility(sutProvider, organization, limitCollectionCreationDeletion);
var context = new AuthorizationHandlerContext(
new[] { GroupOperations.ReadAll(organization.Id) },
new ClaimsPrincipal(),
null);
sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
await sutProvider.Sut.HandleAsync(context);
Assert.True(context.HasSucceeded);
}
[Theory]
[BitAutoData(OrganizationUserType.User)]
[BitAutoData(OrganizationUserType.Custom)]
public async Task CanReadAllAsync_WhenMissingPermissions_NoSuccess(
OrganizationUserType userType,
SutProvider<GroupAuthorizationHandler> sutProvider,
CurrentContextOrganization organization)
{
var actingUserId = Guid.NewGuid();
organization.Type = userType;
organization.Permissions = new Permissions
{
EditAnyCollection = false,
DeleteAnyCollection = false,
ManageGroups = false,
ManageUsers = false,
AccessImportExport = false
};
ArrangeOrganizationAbility(sutProvider, organization, true);
var context = new AuthorizationHandlerContext(
new[] { GroupOperations.ReadAll(organization.Id) },
new ClaimsPrincipal(),
null);
sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
await sutProvider.Sut.HandleAsync(context);
Assert.False(context.HasSucceeded);
}
[Theory, BitAutoData] [Theory, BitAutoData]
public async Task CanReadAllAsync_WhenMissingOrgAccess_NoSuccess( public async Task CanReadAllAsync_WhenMissingOrgAccess_NoSuccess(
Guid userId, Guid userId,
CurrentContextOrganization organization, CurrentContextOrganization organization,
SutProvider<GroupAuthorizationHandler> sutProvider) SutProvider<GroupAuthorizationHandler> sutProvider)
{ {
ArrangeOrganizationAbility(sutProvider, organization, true);
var context = new AuthorizationHandlerContext( var context = new AuthorizationHandlerContext(
new[] { GroupOperations.ReadAll(organization.Id) }, new[] { GroupOperations.ReadAll(organization.Id) },
@ -201,17 +122,4 @@ public class GroupAuthorizationHandlerTests
Assert.False(context.HasSucceeded); Assert.False(context.HasSucceeded);
Assert.True(context.HasFailed); Assert.True(context.HasFailed);
} }
private static void ArrangeOrganizationAbility(
SutProvider<GroupAuthorizationHandler> sutProvider,
CurrentContextOrganization organization, bool limitCollectionCreationDeletion)
{
var organizationAbility = new OrganizationAbility();
organizationAbility.Id = organization.Id;
organizationAbility.FlexibleCollections = true;
organizationAbility.LimitCollectionCreationDeletion = limitCollectionCreationDeletion;
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organizationAbility.Id)
.Returns(organizationAbility);
}
} }

98
test/Api.Test/Vault/AuthorizationHandlers/OrganizationUserAuthorizationHandlerTests.cs
View File

@ -3,8 +3,6 @@ using Bit.Api.Vault.AuthorizationHandlers.OrganizationUsers;
using Bit.Core.Context; using Bit.Core.Context;
using Bit.Core.Enums; using Bit.Core.Enums;
using Bit.Core.Models.Data; using Bit.Core.Models.Data;
using Bit.Core.Models.Data.Organizations;
using Bit.Core.Services;
using Bit.Test.Common.AutoFixture; using Bit.Test.Common.AutoFixture;
using Bit.Test.Common.AutoFixture.Attributes; using Bit.Test.Common.AutoFixture.Attributes;
using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Authorization;
@ -19,7 +17,9 @@ public class OrganizationUserAuthorizationHandlerTests
[Theory] [Theory]
[BitAutoData(OrganizationUserType.Admin)] [BitAutoData(OrganizationUserType.Admin)]
[BitAutoData(OrganizationUserType.Owner)] [BitAutoData(OrganizationUserType.Owner)]
public async Task CanReadAllAsync_WhenAdminOrOwner_Success( [BitAutoData(OrganizationUserType.User)]
[BitAutoData(OrganizationUserType.Custom)]
public async Task CanReadAllAsync_WhenMemberOfOrg_Success(
OrganizationUserType userType, OrganizationUserType userType,
Guid userId, SutProvider<OrganizationUserAuthorizationHandler> sutProvider, Guid userId, SutProvider<OrganizationUserAuthorizationHandler> sutProvider,
CurrentContextOrganization organization) CurrentContextOrganization organization)
@ -27,8 +27,6 @@ public class OrganizationUserAuthorizationHandlerTests
organization.Type = userType; organization.Type = userType;
organization.Permissions = new Permissions(); organization.Permissions = new Permissions();
ArrangeOrganizationAbility(sutProvider, organization, true);
var context = new AuthorizationHandlerContext( var context = new AuthorizationHandlerContext(
new[] { OrganizationUserOperations.ReadAll(organization.Id) }, new[] { OrganizationUserOperations.ReadAll(organization.Id) },
new ClaimsPrincipal(), new ClaimsPrincipal(),
@ -50,8 +48,6 @@ public class OrganizationUserAuthorizationHandlerTests
organization.Type = OrganizationUserType.User; organization.Type = OrganizationUserType.User;
organization.Permissions = new Permissions(); organization.Permissions = new Permissions();
ArrangeOrganizationAbility(sutProvider, organization, true);
var context = new AuthorizationHandlerContext( var context = new AuthorizationHandlerContext(
new[] { OrganizationUserOperations.ReadAll(organization.Id) }, new[] { OrganizationUserOperations.ReadAll(organization.Id) },
new ClaimsPrincipal(), new ClaimsPrincipal(),
@ -69,87 +65,12 @@ public class OrganizationUserAuthorizationHandlerTests
Assert.True(context.HasSucceeded); Assert.True(context.HasSucceeded);
} }
[Theory]
[BitAutoData(true, false, false, false, true)]
[BitAutoData(false, true, false, false, true)]
[BitAutoData(false, false, true, false, true)]
[BitAutoData(false, false, false, true, true)]
[BitAutoData(false, false, false, false, false)]
public async Task CanReadAllAsync_WhenCustomUserWithRequiredPermissions_Success(
bool editAnyCollection, bool deleteAnyCollection, bool manageGroups,
bool manageUsers, bool limitCollectionCreationDeletion,
SutProvider<OrganizationUserAuthorizationHandler> sutProvider,
CurrentContextOrganization organization)
{
var actingUserId = Guid.NewGuid();
organization.Type = OrganizationUserType.Custom;
organization.Permissions = new Permissions
{
EditAnyCollection = editAnyCollection,
DeleteAnyCollection = deleteAnyCollection,
ManageGroups = manageGroups,
ManageUsers = manageUsers
};
ArrangeOrganizationAbility(sutProvider, organization, limitCollectionCreationDeletion);
var context = new AuthorizationHandlerContext(
new[] { OrganizationUserOperations.ReadAll(organization.Id) },
new ClaimsPrincipal(),
null);
sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
await sutProvider.Sut.HandleAsync(context);
Assert.True(context.HasSucceeded);
}
[Theory]
[BitAutoData(OrganizationUserType.User)]
[BitAutoData(OrganizationUserType.Custom)]
public async Task CanReadAllAsync_WhenMissingPermissions_NoSuccess(
OrganizationUserType userType,
SutProvider<OrganizationUserAuthorizationHandler> sutProvider,
CurrentContextOrganization organization)
{
var actingUserId = Guid.NewGuid();
organization.Type = userType;
organization.Permissions = new Permissions
{
EditAnyCollection = false,
DeleteAnyCollection = false,
ManageGroups = false,
ManageUsers = false
};
ArrangeOrganizationAbility(sutProvider, organization, true);
var context = new AuthorizationHandlerContext(
new[] { OrganizationUserOperations.ReadAll(organization.Id) },
new ClaimsPrincipal(),
null);
sutProvider.GetDependency<ICurrentContext>().UserId.Returns(actingUserId);
sutProvider.GetDependency<ICurrentContext>().GetOrganization(organization.Id).Returns(organization);
sutProvider.GetDependency<ICurrentContext>().ProviderUserForOrgAsync(Arg.Any<Guid>()).Returns(false);
await sutProvider.Sut.HandleAsync(context);
Assert.False(context.HasSucceeded);
}
[Theory, BitAutoData] [Theory, BitAutoData]
public async Task HandleRequirementAsync_WhenMissingOrgAccess_NoSuccess( public async Task HandleRequirementAsync_WhenMissingOrgAccess_NoSuccess(
Guid userId, Guid userId,
CurrentContextOrganization organization, CurrentContextOrganization organization,
SutProvider<OrganizationUserAuthorizationHandler> sutProvider) SutProvider<OrganizationUserAuthorizationHandler> sutProvider)
{ {
ArrangeOrganizationAbility(sutProvider, organization, true);
var context = new AuthorizationHandlerContext( var context = new AuthorizationHandlerContext(
new[] { OrganizationUserOperations.ReadAll(organization.Id) }, new[] { OrganizationUserOperations.ReadAll(organization.Id) },
new ClaimsPrincipal(), new ClaimsPrincipal(),
@ -198,17 +119,4 @@ public class OrganizationUserAuthorizationHandlerTests
Assert.True(context.HasFailed); Assert.True(context.HasFailed);
} }
private static void ArrangeOrganizationAbility(
SutProvider<OrganizationUserAuthorizationHandler> sutProvider,
CurrentContextOrganization organization, bool limitCollectionCreationDeletion)
{
var organizationAbility = new OrganizationAbility();
organizationAbility.Id = organization.Id;
organizationAbility.FlexibleCollections = true;
organizationAbility.LimitCollectionCreationDeletion = limitCollectionCreationDeletion;
sutProvider.GetDependency<IApplicationCacheService>().GetOrganizationAbilityAsync(organizationAbility.Id)
.Returns(organizationAbility);
}
} }