nhyatt/bitwarden
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2025-05-22 12:04:27 -05:00
Code

refactor subvault ctrl with org context checks

Browse Source
This commit is contained in:
Kyle Spearrin 2017-04-05 16:40:09 -04:00
parent c4ab901098
commit e414b8d731
6 changed files with 30 additions and 87 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
src/Api/Controllers/SubvaultsController.cs
View File

@ -7,6 +7,7 @@ using Microsoft.AspNetCore.Authorization;
using Bit.Core.Models.Api; using Bit.Core.Models.Api;
using Bit.Core.Exceptions; using Bit.Core.Exceptions;
using Bit.Core.Services; using Bit.Core.Services;
using Bit.Core;
namespace Bit.Api.Controllers namespace Bit.Api.Controllers
{ {
@ -16,21 +17,23 @@ namespace Bit.Api.Controllers
{ {
private readonly ISubvaultRepository _subvaultRepository; private readonly ISubvaultRepository _subvaultRepository;
private readonly IUserService _userService; private readonly IUserService _userService;
private readonly CurrentContext _currentContext;
public SubvaultsController( public SubvaultsController(
ISubvaultRepository subvaultRepository, ISubvaultRepository subvaultRepository,
IUserService userService) IUserService userService,
CurrentContext currentContext)
{ {
_subvaultRepository = subvaultRepository; _subvaultRepository = subvaultRepository;
_userService = userService; _userService = userService;
_currentContext = currentContext;
} }
[HttpGet("{id}")] [HttpGet("{id}")]
public async Task<SubvaultResponseModel> Get(string orgId, string id) public async Task<SubvaultResponseModel> Get(string orgId, string id)
{ {
var userId = _userService.GetProperUserId(User).Value; var subvault = await _subvaultRepository.GetByIdAsync(new Guid(id));
var subvault = await _subvaultRepository.GetByIdAdminUserIdAsync(new Guid(id), userId); if(subvault == null || !_currentContext.OrganizationAdmin(subvault.OrganizationId))
if(subvault == null)
{ {
throw new NotFoundException(); throw new NotFoundException();
} }
@ -38,19 +41,24 @@ namespace Bit.Api.Controllers
return new SubvaultResponseModel(subvault); return new SubvaultResponseModel(subvault);
} }
[HttpGet("~/subvaults")] [HttpGet("")]
public async Task<ListResponseModel<SubvaultResponseModel>> Get() public async Task<ListResponseModel<SubvaultResponseModel>> Get(string orgId)
{ {
var subvaults = await _subvaultRepository.GetManyByUserIdAsync(_userService.GetProperUserId(User).Value); var orgIdGuid = new Guid(orgId);
if(!_currentContext.OrganizationAdmin(orgIdGuid))
{
throw new NotFoundException();
}
var subvaults = await _subvaultRepository.GetManyByOrganizationIdAsync(orgIdGuid);
var responses = subvaults.Select(s => new SubvaultResponseModel(s)); var responses = subvaults.Select(s => new SubvaultResponseModel(s));
return new ListResponseModel<SubvaultResponseModel>(responses); return new ListResponseModel<SubvaultResponseModel>(responses);
} }
[HttpGet("")] [HttpGet("~/subvaults")]
public async Task<ListResponseModel<SubvaultResponseModel>> GetByOrganization(string orgId) public async Task<ListResponseModel<SubvaultResponseModel>> GetUser()
{ {
var subvaults = await _subvaultRepository.GetManyByOrganizationIdAdminUserIdAsync(new Guid(orgId), var subvaults = await _subvaultRepository.GetManyByUserIdAsync(_userService.GetProperUserId(User).Value);
_userService.GetProperUserId(User).Value);
var responses = subvaults.Select(s => new SubvaultResponseModel(s)); var responses = subvaults.Select(s => new SubvaultResponseModel(s));
return new ListResponseModel<SubvaultResponseModel>(responses); return new ListResponseModel<SubvaultResponseModel>(responses);
} }
@ -58,8 +66,13 @@ namespace Bit.Api.Controllers
[HttpPost("")] [HttpPost("")]
public async Task<SubvaultResponseModel> Post(string orgId, [FromBody]SubvaultRequestModel model) public async Task<SubvaultResponseModel> Post(string orgId, [FromBody]SubvaultRequestModel model)
{ {
// TODO: permission check var orgIdGuid = new Guid(orgId);
var subvault = model.ToSubvault(new Guid(orgId)); if(!_currentContext.OrganizationAdmin(orgIdGuid))
{
throw new NotFoundException();
}
var subvault = model.ToSubvault(orgIdGuid);
await _subvaultRepository.CreateAsync(subvault); await _subvaultRepository.CreateAsync(subvault);
return new SubvaultResponseModel(subvault); return new SubvaultResponseModel(subvault);
} }
@ -68,9 +81,8 @@ namespace Bit.Api.Controllers
[HttpPost("{id}")] [HttpPost("{id}")]
public async Task<SubvaultResponseModel> Put(string orgId, string id, [FromBody]SubvaultRequestModel model) public async Task<SubvaultResponseModel> Put(string orgId, string id, [FromBody]SubvaultRequestModel model)
{ {
var subvault = await _subvaultRepository.GetByIdAdminUserIdAsync(new Guid(id), var subvault = await _subvaultRepository.GetByIdAsync(new Guid(id));
_userService.GetProperUserId(User).Value); if(subvault == null || !_currentContext.OrganizationAdmin(subvault.OrganizationId))
if(subvault == null)
{ {
throw new NotFoundException(); throw new NotFoundException();
} }
@ -83,9 +95,8 @@ namespace Bit.Api.Controllers
[HttpPost("{id}/delete")] [HttpPost("{id}/delete")]
public async Task Delete(string orgId, string id) public async Task Delete(string orgId, string id)
{ {
var subvault = await _subvaultRepository.GetByIdAdminUserIdAsync(new Guid(id), var subvault = await _subvaultRepository.GetByIdAsync(new Guid(id));
_userService.GetProperUserId(User).Value); if(subvault == null || !_currentContext.OrganizationAdmin(subvault.OrganizationId))
if(subvault == null)
{ {
throw new NotFoundException(); throw new NotFoundException();
} }

2
src/Core/Repositories/ISubvaultRepository.cs
View File

@ -7,8 +7,6 @@ namespace Bit.Core.Repositories
{ {
public interface ISubvaultRepository : IRepository<Subvault, Guid> public interface ISubvaultRepository : IRepository<Subvault, Guid>
{ {
Task<Subvault> GetByIdAdminUserIdAsync(Guid id, Guid userId);
Task<ICollection<Subvault>> GetManyByOrganizationIdAdminUserIdAsync(Guid organizationId, Guid userId);
Task<ICollection<Subvault>> GetManyByOrganizationIdAsync(Guid organizationId); Task<ICollection<Subvault>> GetManyByOrganizationIdAsync(Guid organizationId);
Task<ICollection<Subvault>> GetManyByUserIdAsync(Guid userId); Task<ICollection<Subvault>> GetManyByUserIdAsync(Guid userId);

26
src/Core/Repositories/SqlServer/SubvaultRepository.cs
View File

@ -19,32 +19,6 @@ namespace Bit.Core.Repositories.SqlServer
: base(connectionString) : base(connectionString)
{ } { }
public async Task<Subvault> GetByIdAdminUserIdAsync(Guid id, Guid userId)
{
using(var connection = new SqlConnection(ConnectionString))
{
var results = await connection.QueryAsync<Subvault>(
$"[{Schema}].[{Table}_ReadByIdAdminUserId]",
new { Id = id, UserId = userId },
commandType: CommandType.StoredProcedure);
return results.FirstOrDefault();
}
}
public async Task<ICollection<Subvault>> GetManyByOrganizationIdAdminUserIdAsync(Guid organizationId, Guid userId)
{
using(var connection = new SqlConnection(ConnectionString))
{
var results = await connection.QueryAsync<Subvault>(
$"[{Schema}].[{Table}_ReadByOrganizationIdAdminUserId]",
new { OrganizationId = organizationId, UserId = userId },
commandType: CommandType.StoredProcedure);
return results.ToList();
}
}
public async Task<ICollection<Subvault>> GetManyByOrganizationIdAsync(Guid organizationId) public async Task<ICollection<Subvault>> GetManyByOrganizationIdAsync(Guid organizationId)
{ {
using(var connection = new SqlConnection(ConnectionString)) using(var connection = new SqlConnection(ConnectionString))

2
src/Sql/Sql.sqlproj
View File

@ -165,7 +165,6 @@
<Build Include="dbo\Stored Procedures\OrganizationUser_ReadByOrganizationIdEmail.sql" /> <Build Include="dbo\Stored Procedures\OrganizationUser_ReadByOrganizationIdEmail.sql" />
<Build Include="dbo\Stored Procedures\OrganizationUser_ReadByOrganizationId.sql" /> <Build Include="dbo\Stored Procedures\OrganizationUser_ReadByOrganizationId.sql" />
<Build Include="dbo\Stored Procedures\Organization_ReadByUserId.sql" /> <Build Include="dbo\Stored Procedures\Organization_ReadByUserId.sql" />
<Build Include="dbo\Stored Procedures\Subvault_ReadByIdAdminUserId.sql" />
<Build Include="dbo\Stored Procedures\Grant_DeleteByKey.sql" /> <Build Include="dbo\Stored Procedures\Grant_DeleteByKey.sql" />
<Build Include="dbo\Stored Procedures\SubvaultUserSubvaultDetails_ReadByUserId.sql" /> <Build Include="dbo\Stored Procedures\SubvaultUserSubvaultDetails_ReadByUserId.sql" />
<Build Include="dbo\Stored Procedures\Grant_DeleteBySubjectIdClientId.sql" /> <Build Include="dbo\Stored Procedures\Grant_DeleteBySubjectIdClientId.sql" />
@ -178,7 +177,6 @@
<Build Include="dbo\Stored Procedures\User_ReadPublicKeyById.sql" /> <Build Include="dbo\Stored Procedures\User_ReadPublicKeyById.sql" />
<Build Include="dbo\Stored Procedures\OrganizationUserUserDetails_ReadById.sql" /> <Build Include="dbo\Stored Procedures\OrganizationUserUserDetails_ReadById.sql" />
<Build Include="dbo\Stored Procedures\OrganizationUserUserDetails_ReadByOrganizationId.sql" /> <Build Include="dbo\Stored Procedures\OrganizationUserUserDetails_ReadByOrganizationId.sql" />
<Build Include="dbo\Stored Procedures\Subvault_ReadByOrganizationIdAdminUserId.sql" />
<Build Include="dbo\User Defined Types\GuidIdArray.sql" /> <Build Include="dbo\User Defined Types\GuidIdArray.sql" />
<Build Include="dbo\Stored Procedures\SubvaultCipher_ReadByCipherId.sql" /> <Build Include="dbo\Stored Procedures\SubvaultCipher_ReadByCipherId.sql" />
<Build Include="dbo\Stored Procedures\OrganizationUser_ReadByUserId.sql" /> <Build Include="dbo\Stored Procedures\OrganizationUser_ReadByUserId.sql" />

19
src/Sql/dbo/Stored Procedures/Subvault_ReadByIdAdminUserId.sql
View File

@ -1,19 +0,0 @@
CREATE PROCEDURE [dbo].[Subvault_ReadByIdAdminUserId]
@Id UNIQUEIDENTIFIER,
@UserId UNIQUEIDENTIFIER
AS
BEGIN
SET NOCOUNT ON
SELECT
S.*
FROM
[dbo].[SubvaultView] S
INNER JOIN
[OrganizationUser] OU ON OU.[OrganizationId] = S.[OrganizationId]
WHERE
S.[Id] = @Id
AND OU.[UserId] = @UserId
AND OU.[Status] = 2 -- Confirmed
AND OU.[Type] <= 1 -- Owner and admin
END

19
src/Sql/dbo/Stored Procedures/Subvault_ReadByOrganizationIdAdminUserId.sql
View File

@ -1,19 +0,0 @@
CREATE PROCEDURE [dbo].[Subvault_ReadByOrganizationIdAdminUserId]
@OrganizationId UNIQUEIDENTIFIER,
@UserId UNIQUEIDENTIFIER
AS
BEGIN
SET NOCOUNT ON
SELECT
S.*
FROM
[dbo].[SubvaultView] S
INNER JOIN
[OrganizationUser] OU ON OU.[OrganizationId] = S.[OrganizationId]
WHERE
S.[OrganizationId] = @OrganizationId
AND OU.[UserId] = @UserId
AND OU.[Status] = 2 -- Confirmed
AND OU.[Type] <= 1 -- Owner and admin
END