[SM-429] Add permission checks to access policy endpoints (#2628)

* Add permission checks to access policy endpoints * Fix unit tests * Add service account grant permission checks * Add service account grant tests * Add new endpoint unit tests * Cleanup unit tests add integration tests * User permission enum in create tests * Swap to NotFoundException for access checks * Add filter for potential grantees * Add in AccessSecretsManager check and test it * Add code review updates * Code review updates * Refactor potential grantees endpoint * Code review updates
2025-06-30 15:42:48 -05:00 · 2023-02-06 11:26:06 -06:00
parent 9110efa44e
commit cf669286ed
20 changed files with 1710 additions and 146 deletions
--- a/src/Api/SecretsManager/Controllers/AccessPoliciesController.cs
+++ b/src/Api/SecretsManager/Controllers/AccessPoliciesController.cs
@ -1,27 +1,53 @@
-using Bit.Api.SecretsManager.Models.Request;
+using Bit.Api.Models.Response;
+using Bit.Api.SecretsManager.Models.Request;
 using Bit.Api.SecretsManager.Models.Response;
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.Repositories;
 using Bit.Core.SecretsManager.Commands.AccessPolicies.Interfaces;
 using Bit.Core.SecretsManager.Entities;
 using Bit.Core.SecretsManager.Repositories;
+using Bit.Core.Services;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;

 namespace Bit.Api.SecretsManager.Controllers;

 [SecretsManager]
+[Authorize("secrets")]
 [Route("access-policies")]
 public class AccessPoliciesController : Controller
 {
    private readonly IAccessPolicyRepository _accessPolicyRepository;
    private readonly ICreateAccessPoliciesCommand _createAccessPoliciesCommand;
+    private readonly ICurrentContext _currentContext;
    private readonly IDeleteAccessPolicyCommand _deleteAccessPolicyCommand;
+    private readonly IGroupRepository _groupRepository;
+    private readonly IOrganizationUserRepository _organizationUserRepository;
+    private readonly IProjectRepository _projectRepository;
+    private readonly IServiceAccountRepository _serviceAccountRepository;
    private readonly IUpdateAccessPolicyCommand _updateAccessPolicyCommand;
+    private readonly IUserService _userService;

    public AccessPoliciesController(
+        IUserService userService,
+        ICurrentContext currentContext,
        IAccessPolicyRepository accessPolicyRepository,
+        IServiceAccountRepository serviceAccountRepository,
+        IGroupRepository groupRepository,
+        IProjectRepository projectRepository,
+        IOrganizationUserRepository organizationUserRepository,
        ICreateAccessPoliciesCommand createAccessPoliciesCommand,
        IDeleteAccessPolicyCommand deleteAccessPolicyCommand,
        IUpdateAccessPolicyCommand updateAccessPolicyCommand)
    {
+        _userService = userService;
+        _currentContext = currentContext;
+        _serviceAccountRepository = serviceAccountRepository;
+        _projectRepository = projectRepository;
+        _groupRepository = groupRepository;
+        _organizationUserRepository = organizationUserRepository;
        _accessPolicyRepository = accessPolicyRepository;
        _createAccessPoliciesCommand = createAccessPoliciesCommand;
        _deleteAccessPolicyCommand = deleteAccessPolicyCommand;
@ -32,14 +58,18 @@ public class AccessPoliciesController : Controller
    public async Task<ProjectAccessPoliciesResponseModel> CreateProjectAccessPoliciesAsync([FromRoute] Guid id,
        [FromBody] AccessPoliciesCreateRequest request)
    {
+        var userId = _userService.GetProperUserId(User).Value;
        var policies = request.ToBaseAccessPoliciesForProject(id);
-        var results = await _createAccessPoliciesCommand.CreateAsync(policies);
+        var results = await _createAccessPoliciesCommand.CreateForProjectAsync(id, policies, userId);
        return new ProjectAccessPoliciesResponseModel(results);
    }

    [HttpGet("/projects/{id}/access-policies")]
    public async Task<ProjectAccessPoliciesResponseModel> GetProjectAccessPoliciesAsync([FromRoute] Guid id)
    {
+        var project = await _projectRepository.GetByIdAsync(id);
+        await CheckUserHasWriteAccessToProjectAsync(project);
+
        var results = await _accessPolicyRepository.GetManyByGrantedProjectIdAsync(id);
        return new ProjectAccessPoliciesResponseModel(results);
    }
@ -48,7 +78,8 @@ public class AccessPoliciesController : Controller
    public async Task<BaseAccessPolicyResponseModel> UpdateAccessPolicyAsync([FromRoute] Guid id,
        [FromBody] AccessPolicyUpdateRequest request)
    {
-        var result = await _updateAccessPolicyCommand.UpdateAsync(id, request.Read, request.Write);
+        var userId = _userService.GetProperUserId(User).Value;
+        var result = await _updateAccessPolicyCommand.UpdateAsync(id, request.Read, request.Write, userId);

        return result switch
        {
@ -56,13 +87,80 @@ public class AccessPoliciesController : Controller
            GroupProjectAccessPolicy accessPolicy => new GroupProjectAccessPolicyResponseModel(accessPolicy),
            ServiceAccountProjectAccessPolicy accessPolicy => new ServiceAccountProjectAccessPolicyResponseModel(
                accessPolicy),
-            _ => throw new ArgumentException("Unsupported access policy type provided.")
+            _ => throw new ArgumentException("Unsupported access policy type provided."),
        };
    }

    [HttpDelete("{id}")]
    public async Task DeleteAccessPolicyAsync([FromRoute] Guid id)
    {
-        await _deleteAccessPolicyCommand.DeleteAsync(id);
+        var userId = _userService.GetProperUserId(User).Value;
+        await _deleteAccessPolicyCommand.DeleteAsync(id, userId);
+    }
+
+    [HttpGet("/organizations/{id}/access-policies/people/potential-grantees")]
+    public async Task<ListResponseModel<PotentialGranteeResponseModel>> GetPeoplePotentialGranteesAsync([FromRoute] Guid id)
+    {
+        if (!_currentContext.AccessSecretsManager(id))
+        {
+            throw new NotFoundException();
+        }
+
+        var groups = await _groupRepository.GetManyByOrganizationIdAsync(id);
+        var groupResponses = groups.Select(g => new PotentialGranteeResponseModel(g));
+
+        var organizationUsers =
+            await _organizationUserRepository.GetManyDetailsByOrganizationAsync(id);
+        var userResponses = organizationUsers
+            .Where(user => user.AccessSecretsManager)
+            .Select(userDetails => new PotentialGranteeResponseModel(userDetails));
+
+        return new ListResponseModel<PotentialGranteeResponseModel>(userResponses.Concat(groupResponses));
+    }
+
+    [HttpGet("/organizations/{id}/access-policies/service-accounts/potential-grantees")]
+    public async Task<ListResponseModel<PotentialGranteeResponseModel>> GetServiceAccountsPotentialGranteesAsync([FromRoute] Guid id)
+    {
+        if (!_currentContext.AccessSecretsManager(id))
+        {
+            throw new NotFoundException();
+        }
+
+        var userId = _userService.GetProperUserId(User).Value;
+        var orgAdmin = await _currentContext.OrganizationAdmin(id);
+        var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
+
+        var serviceAccounts =
+            await _serviceAccountRepository.GetManyByOrganizationIdWriteAccessAsync(id,
+                userId,
+                accessClient);
+        var serviceAccountResponses =
+            serviceAccounts.Select(serviceAccount => new PotentialGranteeResponseModel(serviceAccount));
+
+        return new ListResponseModel<PotentialGranteeResponseModel>(serviceAccountResponses);
+    }
+
+    private async Task CheckUserHasWriteAccessToProjectAsync(Project project)
+    {
+        if (project == null || !_currentContext.AccessSecretsManager(project.OrganizationId))
+        {
+            throw new NotFoundException();
+        }
+
+        var userId = _userService.GetProperUserId(User).Value;
+        var orgAdmin = await _currentContext.OrganizationAdmin(project.OrganizationId);
+        var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
+
+        var hasAccess = accessClient switch
+        {
+            AccessClientType.NoAccessCheck => true,
+            AccessClientType.User => await _projectRepository.UserHasWriteAccessToProject(project.Id, userId),
+            _ => false,
+        };
+
+        if (!hasAccess)
+        {
+            throw new NotFoundException();
+        }
    }
 }
--- a/src/Api/SecretsManager/Models/Response/PotentialGranteeResponseModel.cs
+++ b/src/Api/SecretsManager/Models/Response/PotentialGranteeResponseModel.cs
@ -0,0 +1,62 @@
+using Bit.Core.Entities;
+using Bit.Core.Models.Api;
+using Bit.Core.Models.Data.Organizations.OrganizationUsers;
+using Bit.Core.SecretsManager.Entities;
+
+namespace Bit.Api.SecretsManager.Models.Response;
+
+public class PotentialGranteeResponseModel : ResponseModel
+{
+    private const string _objectName = "potentialGrantee";
+
+    public PotentialGranteeResponseModel(Group group)
+        : base(_objectName)
+    {
+        if (group == null)
+        {
+            throw new ArgumentNullException(nameof(group));
+        }
+
+        Id = group.Id.ToString();
+        Name = group.Name;
+        Type = "group";
+    }
+
+    public PotentialGranteeResponseModel(OrganizationUserUserDetails user)
+        : base(_objectName)
+    {
+        if (user == null)
+        {
+            throw new ArgumentNullException(nameof(user));
+        }
+
+        Id = user.Id.ToString();
+        Name = user.Name;
+        Email = user.Email;
+        Type = "user";
+    }
+
+    public PotentialGranteeResponseModel(ServiceAccount serviceAccount)
+        : base(_objectName)
+    {
+        if (serviceAccount == null)
+        {
+            throw new ArgumentNullException(nameof(serviceAccount));
+        }
+
+        Id = serviceAccount.Id.ToString();
+        Name = serviceAccount.Name;
+        Type = "serviceAccount";
+    }
+
+    public PotentialGranteeResponseModel() : base(_objectName)
+    {
+    }
+
+    public string Id { get; set; }
+
+    public string Name { get; set; }
+
+    public string Type { get; set; }
+    public string? Email { get; set; }
+}
--- a/src/Core/SecretsManager/Commands/AccessPolicies/Interfaces/ICreateAccessPoliciesCommand.cs
+++ b/src/Core/SecretsManager/Commands/AccessPolicies/Interfaces/ICreateAccessPoliciesCommand.cs
@ -4,5 +4,5 @@ namespace Bit.Core.SecretsManager.Commands.AccessPolicies.Interfaces;

 public interface ICreateAccessPoliciesCommand
 {
-    Task<List<BaseAccessPolicy>> CreateAsync(List<BaseAccessPolicy> accessPolicies);
+    Task<IEnumerable<BaseAccessPolicy>> CreateForProjectAsync(Guid projectId, List<BaseAccessPolicy> accessPolicies, Guid userId);
 }
--- a/src/Core/SecretsManager/Commands/AccessPolicies/Interfaces/IDeleteAccessPolicyCommand.cs
+++ b/src/Core/SecretsManager/Commands/AccessPolicies/Interfaces/IDeleteAccessPolicyCommand.cs
@ -2,5 +2,5 @@

 public interface IDeleteAccessPolicyCommand
 {
-    Task DeleteAsync(Guid id);
+    Task DeleteAsync(Guid id, Guid userId);
 }
--- a/src/Core/SecretsManager/Commands/AccessPolicies/Interfaces/IUpdateAccessPolicyCommand.cs
+++ b/src/Core/SecretsManager/Commands/AccessPolicies/Interfaces/IUpdateAccessPolicyCommand.cs
@ -4,5 +4,5 @@ namespace Bit.Core.SecretsManager.Commands.AccessPolicies.Interfaces;

 public interface IUpdateAccessPolicyCommand
 {
-    public Task<BaseAccessPolicy> UpdateAsync(Guid id, bool read, bool write);
+    public Task<BaseAccessPolicy> UpdateAsync(Guid id, bool read, bool write, Guid userId);
 }
--- a/src/Core/SecretsManager/Entities/AccessPolicy.cs
+++ b/src/Core/SecretsManager/Entities/AccessPolicy.cs
@ -24,34 +24,39 @@ public abstract class BaseAccessPolicy
 public class UserProjectAccessPolicy : BaseAccessPolicy
 {
    public Guid? OrganizationUserId { get; set; }
-    public Guid? GrantedProjectId { get; set; }
    public User? User { get; set; }
+    public Guid? GrantedProjectId { get; set; }
+    public Project? GrantedProject { get; set; }
 }

 public class UserServiceAccountAccessPolicy : BaseAccessPolicy
 {
    public Guid? OrganizationUserId { get; set; }
-    public Guid? GrantedServiceAccountId { get; set; }
    public User? User { get; set; }
+    public Guid? GrantedServiceAccountId { get; set; }
+    public ServiceAccount? GrantedServiceAccount { get; set; }
 }

 public class GroupProjectAccessPolicy : BaseAccessPolicy
 {
    public Guid? GroupId { get; set; }
-    public Guid? GrantedProjectId { get; set; }
    public Group? Group { get; set; }
+    public Guid? GrantedProjectId { get; set; }
+    public Project? GrantedProject { get; set; }
 }

 public class GroupServiceAccountAccessPolicy : BaseAccessPolicy
 {
    public Guid? GroupId { get; set; }
-    public Guid? GrantedServiceAccountId { get; set; }
    public Group? Group { get; set; }
+    public Guid? GrantedServiceAccountId { get; set; }
+    public ServiceAccount? GrantedServiceAccount { get; set; }
 }

 public class ServiceAccountProjectAccessPolicy : BaseAccessPolicy
 {
    public Guid? ServiceAccountId { get; set; }
-    public Guid? GrantedProjectId { get; set; }
    public ServiceAccount? ServiceAccount { get; set; }
+    public Guid? GrantedProjectId { get; set; }
+    public Project? GrantedProject { get; set; }
 }
--- a/src/Core/SecretsManager/Repositories/IServiceAccountRepository.cs
+++ b/src/Core/SecretsManager/Repositories/IServiceAccountRepository.cs
@ -11,4 +11,5 @@ public interface IServiceAccountRepository
    Task ReplaceAsync(ServiceAccount serviceAccount);
    Task<bool> UserHasReadAccessToServiceAccount(Guid id, Guid userId);
    Task<bool> UserHasWriteAccessToServiceAccount(Guid id, Guid userId);
+    Task<IEnumerable<ServiceAccount>> GetManyByOrganizationIdWriteAccessAsync(Guid organizationId, Guid userId, AccessClientType accessType);
 }