[SM-378] Enable SM on a user basis (#2590)

* Add support for giving individual users access to secrets manager
2025-07-01 08:02:49 -05:00 · 2023-01-31 18:38:53 +01:00
parent 54353f8b6c
commit cf25d55090
57 changed files with 1419 additions and 400 deletions
--- a/src/Api/Models/Request/Organizations/OrganizationUserRequestModels.cs
+++ b/src/Api/Models/Request/Organizations/OrganizationUserRequestModels.cs
@ -17,6 +17,7 @@ public class OrganizationUserInviteRequestModel
    [Required]
    public OrganizationUserType? Type { get; set; }
    public bool AccessAll { get; set; }
+    public bool AccessSecretsManager { get; set; }
    public Permissions Permissions { get; set; }
    public IEnumerable<SelectionReadOnlyRequestModel> Collections { get; set; }
    public IEnumerable<Guid> Groups { get; set; }
@ -28,6 +29,7 @@ public class OrganizationUserInviteRequestModel
            Emails = Emails,
            Type = Type,
            AccessAll = AccessAll,
+            AccessSecretsManager = AccessSecretsManager,
            Collections = Collections?.Select(c => c.ToSelectionReadOnly()),
            Groups = Groups,
            Permissions = Permissions,
@ -73,6 +75,7 @@ public class OrganizationUserUpdateRequestModel
    [Required]
    public OrganizationUserType? Type { get; set; }
    public bool AccessAll { get; set; }
+    public bool AccessSecretsManager { get; set; }
    public Permissions Permissions { get; set; }
    public IEnumerable<SelectionReadOnlyRequestModel> Collections { get; set; }
    public IEnumerable<Guid> Groups { get; set; }
@ -85,6 +88,7 @@ public class OrganizationUserUpdateRequestModel
            PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
        });
        existingUser.AccessAll = AccessAll;
+        existingUser.AccessSecretsManager = AccessSecretsManager;
        return existingUser;
    }
 }
--- a/src/Api/Models/Response/Organizations/OrganizationUserResponseModel.cs
+++ b/src/Api/Models/Response/Organizations/OrganizationUserResponseModel.cs
@ -23,6 +23,7 @@ public class OrganizationUserResponseModel : ResponseModel
        Type = organizationUser.Type;
        Status = organizationUser.Status;
        AccessAll = organizationUser.AccessAll;
+        AccessSecretsManager = organizationUser.AccessSecretsManager;
        Permissions = CoreHelpers.LoadClassFromJsonData<Permissions>(organizationUser.Permissions);
        ResetPasswordEnrolled = !string.IsNullOrEmpty(organizationUser.ResetPasswordKey);
    }
@ -40,6 +41,7 @@ public class OrganizationUserResponseModel : ResponseModel
        Type = organizationUser.Type;
        Status = organizationUser.Status;
        AccessAll = organizationUser.AccessAll;
+        AccessSecretsManager = organizationUser.AccessSecretsManager;
        Permissions = CoreHelpers.LoadClassFromJsonData<Permissions>(organizationUser.Permissions);
        ResetPasswordEnrolled = !string.IsNullOrEmpty(organizationUser.ResetPasswordKey);
        UsesKeyConnector = organizationUser.UsesKeyConnector;
@ -50,6 +52,7 @@ public class OrganizationUserResponseModel : ResponseModel
    public OrganizationUserType Type { get; set; }
    public OrganizationUserStatusType Status { get; set; }
    public bool AccessAll { get; set; }
+    public bool AccessSecretsManager { get; set; }
    public Permissions Permissions { get; set; }
    public bool ResetPasswordEnrolled { get; set; }
    public bool UsesKeyConnector { get; set; }
--- a/src/Api/Models/Response/ProfileOrganizationResponseModel.cs
+++ b/src/Api/Models/Response/ProfileOrganizationResponseModel.cs
@ -52,6 +52,7 @@ public class ProfileOrganizationResponseModel : ResponseModel
        FamilySponsorshipLastSyncDate = organization.FamilySponsorshipLastSyncDate;
        FamilySponsorshipToDelete = organization.FamilySponsorshipToDelete;
        FamilySponsorshipValidUntil = organization.FamilySponsorshipValidUntil;
+        AccessSecretsManager = organization.AccessSecretsManager;

        if (organization.SsoConfig != null)
        {
@ -101,4 +102,5 @@ public class ProfileOrganizationResponseModel : ResponseModel
    public DateTime? FamilySponsorshipLastSyncDate { get; set; }
    public DateTime? FamilySponsorshipValidUntil { get; set; }
    public bool? FamilySponsorshipToDelete { get; set; }
+    public bool AccessSecretsManager { get; set; }
 }
--- a/src/Api/SecretsManager/Controllers/ProjectsController.cs
+++ b/src/Api/SecretsManager/Controllers/ProjectsController.cs
@ -7,61 +7,46 @@ using Bit.Core.Exceptions;
 using Bit.Core.SecretsManager.Commands.Projects.Interfaces;
 using Bit.Core.SecretsManager.Repositories;
 using Bit.Core.Services;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;

 namespace Bit.Api.SecretsManager.Controllers;

 [SecretsManager]
+[Authorize("secrets")]
 public class ProjectsController : Controller
 {
+    private readonly ICurrentContext _currentContext;
    private readonly IUserService _userService;
    private readonly IProjectRepository _projectRepository;
    private readonly ICreateProjectCommand _createProjectCommand;
    private readonly IUpdateProjectCommand _updateProjectCommand;
    private readonly IDeleteProjectCommand _deleteProjectCommand;
-    private readonly ICurrentContext _currentContext;

    public ProjectsController(
+        ICurrentContext currentContext,
        IUserService userService,
        IProjectRepository projectRepository,
        ICreateProjectCommand createProjectCommand,
        IUpdateProjectCommand updateProjectCommand,
-        IDeleteProjectCommand deleteProjectCommand,
-        ICurrentContext currentContext)
+        IDeleteProjectCommand deleteProjectCommand)
    {
+        _currentContext = currentContext;
        _userService = userService;
        _projectRepository = projectRepository;
        _createProjectCommand = createProjectCommand;
        _updateProjectCommand = updateProjectCommand;
        _deleteProjectCommand = deleteProjectCommand;
-        _currentContext = currentContext;
    }

-    [HttpPost("organizations/{organizationId}/projects")]
-    public async Task<ProjectResponseModel> CreateAsync([FromRoute] Guid organizationId, [FromBody] ProjectCreateRequestModel createRequest)
+    [HttpGet("organizations/{organizationId}/projects")]
+    public async Task<ListResponseModel<ProjectResponseModel>> ListByOrganizationAsync([FromRoute] Guid organizationId)
    {
-        if (!await _currentContext.OrganizationUser(organizationId))
+        if (!_currentContext.AccessSecretsManager(organizationId))
        {
            throw new NotFoundException();
        }

-        var result = await _createProjectCommand.CreateAsync(createRequest.ToProject(organizationId));
-        return new ProjectResponseModel(result);
-    }
-
-    [HttpPut("projects/{id}")]
-    public async Task<ProjectResponseModel> UpdateProjectAsync([FromRoute] Guid id, [FromBody] ProjectUpdateRequestModel updateRequest)
-    {
-        var userId = _userService.GetProperUserId(User).Value;
-
-        var result = await _updateProjectCommand.UpdateAsync(updateRequest.ToProject(id), userId);
-        return new ProjectResponseModel(result);
-    }
-
-    [HttpGet("organizations/{organizationId}/projects")]
-    public async Task<ListResponseModel<ProjectResponseModel>> GetProjectsByOrganizationAsync(
-        [FromRoute] Guid organizationId)
-    {
        var userId = _userService.GetProperUserId(User).Value;
        var orgAdmin = await _currentContext.OrganizationAdmin(organizationId);
        var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
@ -72,8 +57,29 @@ public class ProjectsController : Controller
        return new ListResponseModel<ProjectResponseModel>(responses);
    }

+    [HttpPost("organizations/{organizationId}/projects")]
+    public async Task<ProjectResponseModel> CreateAsync([FromRoute] Guid organizationId, [FromBody] ProjectCreateRequestModel createRequest)
+    {
+        if (!_currentContext.AccessSecretsManager(organizationId))
+        {
+            throw new NotFoundException();
+        }
+
+        var result = await _createProjectCommand.CreateAsync(createRequest.ToProject(organizationId));
+        return new ProjectResponseModel(result);
+    }
+
+    [HttpPut("projects/{id}")]
+    public async Task<ProjectResponseModel> UpdateAsync([FromRoute] Guid id, [FromBody] ProjectUpdateRequestModel updateRequest)
+    {
+        var userId = _userService.GetProperUserId(User).Value;
+
+        var result = await _updateProjectCommand.UpdateAsync(updateRequest.ToProject(id), userId);
+        return new ProjectResponseModel(result);
+    }
+
    [HttpGet("projects/{id}")]
-    public async Task<ProjectResponseModel> GetProjectAsync([FromRoute] Guid id)
+    public async Task<ProjectResponseModel> GetAsync([FromRoute] Guid id)
    {
        var project = await _projectRepository.GetByIdAsync(id);
        if (project == null)
@ -81,6 +87,11 @@ public class ProjectsController : Controller
            throw new NotFoundException();
        }

+        if (!_currentContext.AccessSecretsManager(project.OrganizationId))
+        {
+            throw new NotFoundException();
+        }
+
        var userId = _userService.GetProperUserId(User).Value;
        var orgAdmin = await _currentContext.OrganizationAdmin(project.OrganizationId);
        var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
@ -101,7 +112,7 @@ public class ProjectsController : Controller
    }

    [HttpPost("projects/delete")]
-    public async Task<ListResponseModel<BulkDeleteResponseModel>> BulkDeleteProjectsAsync([FromBody] List<Guid> ids)
+    public async Task<ListResponseModel<BulkDeleteResponseModel>> BulkDeleteAsync([FromBody] List<Guid> ids)
    {
        var userId = _userService.GetProperUserId(User).Value;

--- a/src/Api/SecretsManager/Controllers/SecretsController.cs
+++ b/src/Api/SecretsManager/Controllers/SecretsController.cs
@ -1,6 +1,7 @@
 using Bit.Api.Models.Response;
 using Bit.Api.SecretsManager.Models.Request;
 using Bit.Api.SecretsManager.Models.Response;
+using Bit.Core.Context;
 using Bit.Core.Exceptions;
 using Bit.Core.SecretsManager.Commands.Secrets.Interfaces;
 using Bit.Core.SecretsManager.Repositories;
@ -13,30 +14,52 @@ namespace Bit.Api.SecretsManager.Controllers;
 [Authorize("secrets")]
 public class SecretsController : Controller
 {
+    private readonly ICurrentContext _currentContext;
    private readonly ISecretRepository _secretRepository;
-    private readonly IProjectRepository _projectRepository;
    private readonly ICreateSecretCommand _createSecretCommand;
    private readonly IUpdateSecretCommand _updateSecretCommand;
    private readonly IDeleteSecretCommand _deleteSecretCommand;

-    public SecretsController(ISecretRepository secretRepository, IProjectRepository projectRepository, ICreateSecretCommand createSecretCommand, IUpdateSecretCommand updateSecretCommand, IDeleteSecretCommand deleteSecretCommand)
+    public SecretsController(
+        ICurrentContext currentContext,
+        ISecretRepository secretRepository,
+        ICreateSecretCommand createSecretCommand,
+        IUpdateSecretCommand updateSecretCommand,
+        IDeleteSecretCommand deleteSecretCommand)
    {
+        _currentContext = currentContext;
        _secretRepository = secretRepository;
-        _projectRepository = projectRepository;
        _createSecretCommand = createSecretCommand;
        _updateSecretCommand = updateSecretCommand;
        _deleteSecretCommand = deleteSecretCommand;
    }

    [HttpGet("organizations/{organizationId}/secrets")]
-    public async Task<SecretWithProjectsListResponseModel> GetSecretsByOrganizationAsync([FromRoute] Guid organizationId)
+    public async Task<SecretWithProjectsListResponseModel> ListByOrganizationAsync([FromRoute] Guid organizationId)
    {
+        if (!_currentContext.AccessSecretsManager(organizationId))
+        {
+            throw new NotFoundException();
+        }
+
        var secrets = await _secretRepository.GetManyByOrganizationIdAsync(organizationId);
        return new SecretWithProjectsListResponseModel(secrets);
    }

+    [HttpPost("organizations/{organizationId}/secrets")]
+    public async Task<SecretResponseModel> CreateAsync([FromRoute] Guid organizationId, [FromBody] SecretCreateRequestModel createRequest)
+    {
+        if (!_currentContext.AccessSecretsManager(organizationId))
+        {
+            throw new NotFoundException();
+        }
+
+        var result = await _createSecretCommand.CreateAsync(createRequest.ToSecret(organizationId));
+        return new SecretResponseModel(result);
+    }
+
    [HttpGet("secrets/{id}")]
-    public async Task<SecretResponseModel> GetSecretAsync([FromRoute] Guid id)
+    public async Task<SecretResponseModel> GetAsync([FromRoute] Guid id)
    {
        var secret = await _secretRepository.GetByIdAsync(id);
        if (secret == null)
@ -54,15 +77,8 @@ public class SecretsController : Controller
        return new SecretWithProjectsListResponseModel(secrets);
    }

-    [HttpPost("organizations/{organizationId}/secrets")]
-    public async Task<SecretResponseModel> CreateSecretAsync([FromRoute] Guid organizationId, [FromBody] SecretCreateRequestModel createRequest)
-    {
-        var result = await _createSecretCommand.CreateAsync(createRequest.ToSecret(organizationId));
-        return new SecretResponseModel(result);
-    }
-
    [HttpPut("secrets/{id}")]
-    public async Task<SecretResponseModel> UpdateSecretAsync([FromRoute] Guid id, [FromBody] SecretUpdateRequestModel updateRequest)
+    public async Task<SecretResponseModel> UpdateAsync([FromRoute] Guid id, [FromBody] SecretUpdateRequestModel updateRequest)
    {
        var result = await _updateSecretCommand.UpdateAsync(updateRequest.ToSecret(id));
        return new SecretResponseModel(result);
--- a/src/Api/SecretsManager/Controllers/ServiceAccountsController.cs
+++ b/src/Api/SecretsManager/Controllers/ServiceAccountsController.cs
@ -8,43 +8,50 @@ using Bit.Core.SecretsManager.Commands.AccessTokens.Interfaces;
 using Bit.Core.SecretsManager.Commands.ServiceAccounts.Interfaces;
 using Bit.Core.SecretsManager.Repositories;
 using Bit.Core.Services;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;

 namespace Bit.Api.SecretsManager.Controllers;

 [SecretsManager]
+[Authorize("secrets")]
 [Route("service-accounts")]
 public class ServiceAccountsController : Controller
 {
+    private readonly ICurrentContext _currentContext;
    private readonly IApiKeyRepository _apiKeyRepository;
    private readonly ICreateAccessTokenCommand _createAccessTokenCommand;
    private readonly ICreateServiceAccountCommand _createServiceAccountCommand;
-    private readonly ICurrentContext _currentContext;
    private readonly IServiceAccountRepository _serviceAccountRepository;
    private readonly IUpdateServiceAccountCommand _updateServiceAccountCommand;
    private readonly IUserService _userService;

    public ServiceAccountsController(
+        ICurrentContext currentContext,
        IUserService userService,
        IServiceAccountRepository serviceAccountRepository,
        ICreateAccessTokenCommand createAccessTokenCommand,
        IApiKeyRepository apiKeyRepository, ICreateServiceAccountCommand createServiceAccountCommand,
-        IUpdateServiceAccountCommand updateServiceAccountCommand,
-        ICurrentContext currentContext)
+        IUpdateServiceAccountCommand updateServiceAccountCommand)
    {
+        _currentContext = currentContext;
        _userService = userService;
        _serviceAccountRepository = serviceAccountRepository;
        _apiKeyRepository = apiKeyRepository;
        _createServiceAccountCommand = createServiceAccountCommand;
        _updateServiceAccountCommand = updateServiceAccountCommand;
        _createAccessTokenCommand = createAccessTokenCommand;
-        _currentContext = currentContext;
    }

    [HttpGet("/organizations/{organizationId}/service-accounts")]
-    public async Task<ListResponseModel<ServiceAccountResponseModel>> GetServiceAccountsByOrganizationAsync(
+    public async Task<ListResponseModel<ServiceAccountResponseModel>> ListByOrganizationAsync(
        [FromRoute] Guid organizationId)
    {
+        if (!_currentContext.AccessSecretsManager(organizationId))
+        {
+            throw new NotFoundException();
+        }
+
        var userId = _userService.GetProperUserId(User).Value;
        var orgAdmin = await _currentContext.OrganizationAdmin(organizationId);
        var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
@ -57,10 +64,10 @@ public class ServiceAccountsController : Controller
    }

    [HttpPost("/organizations/{organizationId}/service-accounts")]
-    public async Task<ServiceAccountResponseModel> CreateServiceAccountAsync([FromRoute] Guid organizationId,
+    public async Task<ServiceAccountResponseModel> CreateAsync([FromRoute] Guid organizationId,
        [FromBody] ServiceAccountCreateRequestModel createRequest)
    {
-        if (!await _currentContext.OrganizationUser(organizationId))
+        if (!_currentContext.AccessSecretsManager(organizationId))
        {
            throw new NotFoundException();
        }
@ -70,7 +77,7 @@ public class ServiceAccountsController : Controller
    }

    [HttpPut("{id}")]
-    public async Task<ServiceAccountResponseModel> UpdateServiceAccountAsync([FromRoute] Guid id,
+    public async Task<ServiceAccountResponseModel> UpdateAsync([FromRoute] Guid id,
        [FromBody] ServiceAccountUpdateRequestModel updateRequest)
    {
        var userId = _userService.GetProperUserId(User).Value;
@ -89,6 +96,11 @@ public class ServiceAccountsController : Controller
            throw new NotFoundException();
        }

+        if (!_currentContext.AccessSecretsManager(serviceAccount.OrganizationId))
+        {
+            throw new NotFoundException();
+        }
+
        var orgAdmin = await _currentContext.OrganizationAdmin(serviceAccount.OrganizationId);
        var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);