[SM-789] Extract authorization from service account delete command (#2999)

* Extract authorization from SA delete command * swap to IEnumerable --------- Co-authored-by: Matt Bishop <mbishop@bitwarden.com>
2025-06-30 23:52:50 -05:00 · 2023-07-12 15:32:40 -05:00
parent b629c31de9
commit d6a45d4802
8 changed files with 246 additions and 70 deletions
--- a/src/Api/SecretsManager/Controllers/ServiceAccountsController.cs
+++ b/src/Api/SecretsManager/Controllers/ServiceAccountsController.cs
@ -7,6 +7,7 @@ using Bit.Core.Exceptions;
 using Bit.Core.SecretsManager.AuthorizationRequirements;
 using Bit.Core.SecretsManager.Commands.AccessTokens.Interfaces;
 using Bit.Core.SecretsManager.Commands.ServiceAccounts.Interfaces;
+using Bit.Core.SecretsManager.Entities;
 using Bit.Core.SecretsManager.Repositories;
 using Bit.Core.Services;
 using Bit.Core.Utilities;
@ -130,10 +131,40 @@ public class ServiceAccountsController : Controller
    [HttpPost("delete")]
    public async Task<ListResponseModel<BulkDeleteResponseModel>> BulkDeleteAsync([FromBody] List<Guid> ids)
    {
-        var userId = _userService.GetProperUserId(User).Value;
+        var serviceAccounts = (await _serviceAccountRepository.GetManyByIds(ids)).ToList();
+        if (!serviceAccounts.Any() || serviceAccounts.Count != ids.Count)
+        {
+            throw new NotFoundException();
+        }

-        var results = await _deleteServiceAccountsCommand.DeleteServiceAccounts(ids, userId);
-        var responses = results.Select(r => new BulkDeleteResponseModel(r.Item1.Id, r.Item2));
+        // Ensure all service accounts belong to the same organization
+        var organizationId = serviceAccounts.First().OrganizationId;
+        if (serviceAccounts.Any(sa => sa.OrganizationId != organizationId) ||
+            !_currentContext.AccessSecretsManager(organizationId))
+        {
+            throw new NotFoundException();
+        }
+
+        var serviceAccountsToDelete = new List<ServiceAccount>();
+        var results = new List<(ServiceAccount ServiceAccount, string Error)>();
+
+        foreach (var serviceAccount in serviceAccounts)
+        {
+            var authorizationResult =
+                await _authorizationService.AuthorizeAsync(User, serviceAccount, ServiceAccountOperations.Delete);
+            if (authorizationResult.Succeeded)
+            {
+                serviceAccountsToDelete.Add(serviceAccount);
+                results.Add((serviceAccount, ""));
+            }
+            else
+            {
+                results.Add((serviceAccount, "access denied"));
+            }
+        }
+
+        await _deleteServiceAccountsCommand.DeleteServiceAccounts(serviceAccountsToDelete);
+        var responses = results.Select(r => new BulkDeleteResponseModel(r.ServiceAccount.Id, r.Error));
        return new ListResponseModel<BulkDeleteResponseModel>(responses);
    }