[SM-910] Add service account granted policies management endpoints (#3736)

* Add the ability to get multi projects access * Add access policy helper + tests * Add new data/request models * Add access policy operations to repo * Add authz handler for new operations * Add new controller endpoints * add updating service account revision
2025-06-30 15:42:48 -05:00 · 2024-05-01 11:47:11 -05:00
parent a14646eaad
commit ebd88393c8
28 changed files with 1772 additions and 578 deletions
--- a/src/Api/SecretsManager/Controllers/AccessPoliciesController.cs
+++ b/src/Api/SecretsManager/Controllers/AccessPoliciesController.cs
@ -7,6 +7,8 @@ using Bit.Core.Exceptions;
 using Bit.Core.SecretsManager.AuthorizationRequirements;
 using Bit.Core.SecretsManager.Commands.AccessPolicies.Interfaces;
 using Bit.Core.SecretsManager.Entities;
+using Bit.Core.SecretsManager.Queries.AccessPolicies.Interfaces;
+using Bit.Core.SecretsManager.Queries.Interfaces;
 using Bit.Core.SecretsManager.Repositories;
 using Bit.Core.Services;
 using Microsoft.AspNetCore.Authorization;
@ -26,6 +28,9 @@ public class AccessPoliciesController : Controller
    private readonly IProjectRepository _projectRepository;
    private readonly IServiceAccountRepository _serviceAccountRepository;
    private readonly IUpdateAccessPolicyCommand _updateAccessPolicyCommand;
+    private readonly IUpdateServiceAccountGrantedPoliciesCommand _updateServiceAccountGrantedPoliciesCommand;
+    private readonly IAccessClientQuery _accessClientQuery;
+    private readonly IServiceAccountGrantedPolicyUpdatesQuery _serviceAccountGrantedPolicyUpdatesQuery;
    private readonly IUserService _userService;
    private readonly IAuthorizationService _authorizationService;

@ -36,6 +41,9 @@ public class AccessPoliciesController : Controller
        IAccessPolicyRepository accessPolicyRepository,
        IServiceAccountRepository serviceAccountRepository,
        IProjectRepository projectRepository,
+        IAccessClientQuery accessClientQuery,
+        IServiceAccountGrantedPolicyUpdatesQuery serviceAccountGrantedPolicyUpdatesQuery,
+        IUpdateServiceAccountGrantedPoliciesCommand updateServiceAccountGrantedPoliciesCommand,
        ICreateAccessPoliciesCommand createAccessPoliciesCommand,
        IDeleteAccessPolicyCommand deleteAccessPolicyCommand,
        IUpdateAccessPolicyCommand updateAccessPolicyCommand)
@ -49,6 +57,9 @@ public class AccessPoliciesController : Controller
        _createAccessPoliciesCommand = createAccessPoliciesCommand;
        _deleteAccessPolicyCommand = deleteAccessPolicyCommand;
        _updateAccessPolicyCommand = updateAccessPolicyCommand;
+        _updateServiceAccountGrantedPoliciesCommand = updateServiceAccountGrantedPoliciesCommand;
+        _accessClientQuery = accessClientQuery;
+        _serviceAccountGrantedPolicyUpdatesQuery = serviceAccountGrantedPolicyUpdatesQuery;
    }

    [HttpPost("/projects/{id}/access-policies")]
@ -89,61 +100,6 @@ public class AccessPoliciesController : Controller
        return new ProjectAccessPoliciesResponseModel(results);
    }

-    [HttpPost("/service-accounts/{id}/granted-policies")]
-    public async Task<ListResponseModel<ServiceAccountProjectAccessPolicyResponseModel>>
-        CreateServiceAccountGrantedPoliciesAsync([FromRoute] Guid id,
-            [FromBody] List<GrantedAccessPolicyRequest> requests)
-    {
-        if (requests.Count > _maxBulkCreation)
-        {
-            throw new BadRequestException($"Can process no more than {_maxBulkCreation} creation requests at once.");
-        }
-
-        if (requests.Count != requests.DistinctBy(request => request.GrantedId).Count())
-        {
-            throw new BadRequestException("Resources must be unique");
-        }
-
-        var serviceAccount = await _serviceAccountRepository.GetByIdAsync(id);
-        if (serviceAccount == null)
-        {
-            throw new NotFoundException();
-        }
-
-        var policies = requests.Select(request => request.ToServiceAccountProjectAccessPolicy(id, serviceAccount.OrganizationId)).ToList();
-        foreach (var policy in policies)
-        {
-            var authorizationResult = await _authorizationService.AuthorizeAsync(User, policy, AccessPolicyOperations.Create);
-            if (!authorizationResult.Succeeded)
-            {
-                throw new NotFoundException();
-            }
-        }
-
-        var results =
-            await _createAccessPoliciesCommand.CreateManyAsync(new List<BaseAccessPolicy>(policies));
-        var responses = results.Select(ap =>
-            new ServiceAccountProjectAccessPolicyResponseModel((ServiceAccountProjectAccessPolicy)ap));
-        return new ListResponseModel<ServiceAccountProjectAccessPolicyResponseModel>(responses);
-    }
-
-    [HttpGet("/service-accounts/{id}/granted-policies")]
-    public async Task<ListResponseModel<ServiceAccountProjectAccessPolicyResponseModel>>
-        GetServiceAccountGrantedPoliciesAsync([FromRoute] Guid id)
-    {
-        var serviceAccount = await _serviceAccountRepository.GetByIdAsync(id);
-        if (serviceAccount == null)
-        {
-            throw new NotFoundException();
-        }
-
-        var (accessClient, userId) = await GetAccessClientTypeAsync(serviceAccount.OrganizationId);
-        var results = await _accessPolicyRepository.GetManyByServiceAccountIdAsync(id, userId, accessClient);
-        var responses = results.Select(ap =>
-            new ServiceAccountProjectAccessPolicyResponseModel((ServiceAccountProjectAccessPolicy)ap));
-        return new ListResponseModel<ServiceAccountProjectAccessPolicyResponseModel>(responses);
-    }
-
    [HttpPut("{id}")]
    public async Task<BaseAccessPolicyResponseModel> UpdateAccessPolicyAsync([FromRoute] Guid id,
        [FromBody] AccessPolicyUpdateRequest request)
@ -303,6 +259,43 @@ public class AccessPoliciesController : Controller
        return new ServiceAccountPeopleAccessPoliciesResponseModel(results, userId);
    }

+    [HttpGet("/service-accounts/{id}/granted-policies")]
+    public async Task<ServiceAccountGrantedPoliciesPermissionDetailsResponseModel>
+        GetServiceAccountGrantedPoliciesAsync([FromRoute] Guid id)
+    {
+        var serviceAccount = await _serviceAccountRepository.GetByIdAsync(id);
+        var authorizationResult =
+            await _authorizationService.AuthorizeAsync(User, serviceAccount, ServiceAccountOperations.Update);
+
+        if (!authorizationResult.Succeeded)
+        {
+            throw new NotFoundException();
+        }
+
+        return await GetServiceAccountGrantedPoliciesAsync(serviceAccount);
+    }
+
+
+    [HttpPut("/service-accounts/{id}/granted-policies")]
+    public async Task<ServiceAccountGrantedPoliciesPermissionDetailsResponseModel>
+        PutServiceAccountGrantedPoliciesAsync([FromRoute] Guid id,
+            [FromBody] ServiceAccountGrantedPoliciesRequestModel request)
+    {
+        var serviceAccount = await _serviceAccountRepository.GetByIdAsync(id) ?? throw new NotFoundException();
+        var grantedPoliciesUpdates =
+            await _serviceAccountGrantedPolicyUpdatesQuery.GetAsync(request.ToGrantedPolicies(serviceAccount));
+
+        var authorizationResult = await _authorizationService.AuthorizeAsync(User, grantedPoliciesUpdates,
+            ServiceAccountGrantedPoliciesOperations.Updates);
+        if (!authorizationResult.Succeeded)
+        {
+            throw new NotFoundException();
+        }
+
+        await _updateServiceAccountGrantedPoliciesCommand.UpdateAsync(grantedPoliciesUpdates);
+        return await GetServiceAccountGrantedPoliciesAsync(serviceAccount);
+    }
+
    private async Task<(AccessClientType AccessClientType, Guid UserId)> CheckUserHasWriteAccessToProjectAsync(Project project)
    {
        if (project == null)
@ -355,4 +348,11 @@ public class AccessPoliciesController : Controller
        var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
        return (accessClient, userId);
    }
+
+    private async Task<ServiceAccountGrantedPoliciesPermissionDetailsResponseModel> GetServiceAccountGrantedPoliciesAsync(ServiceAccount serviceAccount)
+    {
+        var (accessClient, userId) = await _accessClientQuery.GetAccessClientAsync(User, serviceAccount.OrganizationId);
+        var results = await _accessPolicyRepository.GetServiceAccountGrantedPoliciesPermissionDetailsAsync(serviceAccount.Id, userId, accessClient);
+        return new ServiceAccountGrantedPoliciesPermissionDetailsResponseModel(results);
+    }
 }
--- a/src/Api/SecretsManager/Models/Request/ServiceAccountGrantedPoliciesRequestModel.cs
+++ b/src/Api/SecretsManager/Models/Request/ServiceAccountGrantedPoliciesRequestModel.cs
@ -0,0 +1,28 @@
+#nullable enable
+using Bit.Api.SecretsManager.Utilities;
+using Bit.Core.SecretsManager.Entities;
+using Bit.Core.SecretsManager.Models.Data;
+
+namespace Bit.Api.SecretsManager.Models.Request;
+
+public class ServiceAccountGrantedPoliciesRequestModel
+{
+    public required IEnumerable<GrantedAccessPolicyRequest> ProjectGrantedPolicyRequests { get; set; }
+
+    public ServiceAccountGrantedPolicies ToGrantedPolicies(ServiceAccount serviceAccount)
+    {
+        var projectGrantedPolicies = ProjectGrantedPolicyRequests
+            .Select(x => x.ToServiceAccountProjectAccessPolicy(serviceAccount.Id, serviceAccount.OrganizationId))
+            .ToList();
+
+        AccessPolicyHelpers.CheckForDistinctAccessPolicies(projectGrantedPolicies);
+        AccessPolicyHelpers.CheckAccessPoliciesHaveReadPermission(projectGrantedPolicies);
+
+        return new ServiceAccountGrantedPolicies
+        {
+            ServiceAccountId = serviceAccount.Id,
+            OrganizationId = serviceAccount.OrganizationId,
+            ProjectGrantedPolicies = projectGrantedPolicies
+        };
+    }
+}
--- a/src/Api/SecretsManager/Models/Response/ServiceAccountGrantedPoliciesPermissionDetailsResponseModel.cs
+++ b/src/Api/SecretsManager/Models/Response/ServiceAccountGrantedPoliciesPermissionDetailsResponseModel.cs
@ -0,0 +1,30 @@
+#nullable enable
+using Bit.Core.Models.Api;
+using Bit.Core.SecretsManager.Models.Data;
+
+namespace Bit.Api.SecretsManager.Models.Response;
+
+public class ServiceAccountGrantedPoliciesPermissionDetailsResponseModel : ResponseModel
+{
+    private const string _objectName = "ServiceAccountGrantedPoliciesPermissionDetails";
+
+    public ServiceAccountGrantedPoliciesPermissionDetailsResponseModel(
+        ServiceAccountGrantedPoliciesPermissionDetails? grantedPoliciesPermissionDetails)
+        : base(_objectName)
+    {
+        if (grantedPoliciesPermissionDetails == null)
+        {
+            return;
+        }
+
+        GrantedProjectPolicies = grantedPoliciesPermissionDetails.ProjectGrantedPolicies
+            .Select(x => new ServiceAccountProjectAccessPolicyPermissionDetailsResponseModel(x)).ToList();
+    }
+
+    public ServiceAccountGrantedPoliciesPermissionDetailsResponseModel() : base(_objectName)
+    {
+    }
+
+    public List<ServiceAccountProjectAccessPolicyPermissionDetailsResponseModel> GrantedProjectPolicies { get; set; } =
+        [];
+}
--- a/src/Api/SecretsManager/Models/Response/ServiceAccountProjectAccessPolicyPermissionDetailsResponseModel.cs
+++ b/src/Api/SecretsManager/Models/Response/ServiceAccountProjectAccessPolicyPermissionDetailsResponseModel.cs
@ -0,0 +1,25 @@
+#nullable enable
+using Bit.Core.Models.Api;
+using Bit.Core.SecretsManager.Models.Data;
+
+namespace Bit.Api.SecretsManager.Models.Response;
+
+public class ServiceAccountProjectAccessPolicyPermissionDetailsResponseModel : ResponseModel
+{
+    private const string _objectName = "serviceAccountProjectAccessPolicyPermissionDetails";
+
+    public ServiceAccountProjectAccessPolicyPermissionDetailsResponseModel(
+        ServiceAccountProjectAccessPolicyPermissionDetails apPermissionDetails, string obj = _objectName) : base(obj)
+    {
+        AccessPolicy = new ServiceAccountProjectAccessPolicyResponseModel(apPermissionDetails.AccessPolicy);
+        HasPermission = apPermissionDetails.HasPermission;
+    }
+
+    public ServiceAccountProjectAccessPolicyPermissionDetailsResponseModel()
+        : base(_objectName)
+    {
+    }
+
+    public ServiceAccountProjectAccessPolicyResponseModel AccessPolicy { get; set; } = new();
+    public bool HasPermission { get; set; }
+}
--- a/src/Api/SecretsManager/Utilities/AccessPolicyHelpers.cs
+++ b/src/Api/SecretsManager/Utilities/AccessPolicyHelpers.cs
@ -0,0 +1,40 @@
+#nullable enable
+using Bit.Core.Exceptions;
+using Bit.Core.SecretsManager.Entities;
+
+namespace Bit.Api.SecretsManager.Utilities;
+
+public static class AccessPolicyHelpers
+{
+    public static void CheckForDistinctAccessPolicies(IReadOnlyCollection<BaseAccessPolicy> accessPolicies)
+    {
+        var distinctAccessPolicies = accessPolicies.DistinctBy(baseAccessPolicy =>
+        {
+            return baseAccessPolicy switch
+            {
+                UserProjectAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.OrganizationUserId, ap.GrantedProjectId),
+                GroupProjectAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.GroupId, ap.GrantedProjectId),
+                ServiceAccountProjectAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.ServiceAccountId,
+                    ap.GrantedProjectId),
+                UserServiceAccountAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.OrganizationUserId,
+                    ap.GrantedServiceAccountId),
+                GroupServiceAccountAccessPolicy ap => new Tuple<Guid?, Guid?>(ap.GroupId, ap.GrantedServiceAccountId),
+                _ => throw new ArgumentException("Unsupported access policy type provided.", nameof(baseAccessPolicy)),
+            };
+        }).ToList();
+
+        if (accessPolicies.Count != distinctAccessPolicies.Count)
+        {
+            throw new BadRequestException("Resources must be unique");
+        }
+    }
+
+    public static void CheckAccessPoliciesHaveReadPermission(IEnumerable<BaseAccessPolicy> accessPolicies)
+    {
+        var accessPoliciesPermission = accessPolicies.All(policy => policy.Read);
+        if (!accessPoliciesPermission)
+        {
+            throw new BadRequestException("Resources must be Read = true");
+        }
+    }
+}
--- a/src/Core/SecretsManager/AuthorizationRequirements/ServiceAccountGrantedPoliciesOperationRequirement.cs
+++ b/src/Core/SecretsManager/AuthorizationRequirements/ServiceAccountGrantedPoliciesOperationRequirement.cs
@ -0,0 +1,14 @@
+#nullable enable
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+
+namespace Bit.Core.SecretsManager.AuthorizationRequirements;
+
+public class ServiceAccountGrantedPoliciesOperationRequirement : OperationAuthorizationRequirement
+{
+
+}
+
+public static class ServiceAccountGrantedPoliciesOperations
+{
+    public static readonly ServiceAccountGrantedPoliciesOperationRequirement Updates = new() { Name = nameof(Updates) };
+}
--- a/src/Core/SecretsManager/Commands/AccessPolicies/Interfaces/IUpdateServiceAccountGrantedPoliciesCommand.cs
+++ b/src/Core/SecretsManager/Commands/AccessPolicies/Interfaces/IUpdateServiceAccountGrantedPoliciesCommand.cs
@ -0,0 +1,9 @@
+#nullable enable
+using Bit.Core.SecretsManager.Models.Data;
+
+namespace Bit.Core.SecretsManager.Commands.AccessPolicies.Interfaces;
+
+public interface IUpdateServiceAccountGrantedPoliciesCommand
+{
+    Task UpdateAsync(ServiceAccountGrantedPoliciesUpdates grantedPoliciesUpdates);
+}
--- a/src/Core/SecretsManager/Enums/AccessPolicies/AccessPolicyOperation.cs
+++ b/src/Core/SecretsManager/Enums/AccessPolicies/AccessPolicyOperation.cs
@ -0,0 +1,8 @@
+namespace Bit.Core.SecretsManager.Enums.AccessPolicies;
+
+public enum AccessPolicyOperation
+{
+    Create,
+    Update,
+    Delete
+}
--- a/src/Core/SecretsManager/Models/Data/AccessPolicyUpdates/ServiceAccountProjectAccessPolicyUpdate.cs
+++ b/src/Core/SecretsManager/Models/Data/AccessPolicyUpdates/ServiceAccountProjectAccessPolicyUpdate.cs
@ -0,0 +1,11 @@
+#nullable enable
+using Bit.Core.SecretsManager.Entities;
+using Bit.Core.SecretsManager.Enums.AccessPolicies;
+
+namespace Bit.Core.SecretsManager.Models.Data.AccessPolicyUpdates;
+
+public class ServiceAccountProjectAccessPolicyUpdate
+{
+    public AccessPolicyOperation Operation { get; set; }
+    public required ServiceAccountProjectAccessPolicy AccessPolicy { get; set; }
+}
--- a/src/Core/SecretsManager/Models/Data/ServiceAccountGrantedPolicies.cs
+++ b/src/Core/SecretsManager/Models/Data/ServiceAccountGrantedPolicies.cs
@ -0,0 +1,83 @@
+#nullable enable
+using Bit.Core.SecretsManager.Entities;
+using Bit.Core.SecretsManager.Enums.AccessPolicies;
+using Bit.Core.SecretsManager.Models.Data.AccessPolicyUpdates;
+
+namespace Bit.Core.SecretsManager.Models.Data;
+
+public class ServiceAccountGrantedPolicies
+{
+    public ServiceAccountGrantedPolicies(Guid serviceAccountId, IEnumerable<BaseAccessPolicy> policies)
+    {
+        ServiceAccountId = serviceAccountId;
+        ProjectGrantedPolicies = policies.Where(x => x is ServiceAccountProjectAccessPolicy)
+            .Cast<ServiceAccountProjectAccessPolicy>().ToList();
+
+        var serviceAccount = ProjectGrantedPolicies.FirstOrDefault()?.ServiceAccount;
+        if (serviceAccount != null)
+        {
+            OrganizationId = serviceAccount.OrganizationId;
+        }
+    }
+
+    public ServiceAccountGrantedPolicies()
+    {
+    }
+
+    public Guid ServiceAccountId { get; set; }
+    public Guid OrganizationId { get; set; }
+
+    public IEnumerable<ServiceAccountProjectAccessPolicy> ProjectGrantedPolicies { get; set; } =
+        new List<ServiceAccountProjectAccessPolicy>();
+
+    public ServiceAccountGrantedPoliciesUpdates GetPolicyUpdates(ServiceAccountGrantedPolicies requested)
+    {
+        var currentProjectIds = ProjectGrantedPolicies.Select(p => p.GrantedProjectId!.Value).ToList();
+        var requestedProjectIds = requested.ProjectGrantedPolicies.Select(p => p.GrantedProjectId!.Value).ToList();
+
+        var projectIdsToBeDeleted = currentProjectIds.Except(requestedProjectIds).ToList();
+        var projectIdsToBeCreated = requestedProjectIds.Except(currentProjectIds).ToList();
+        var projectIdsToBeUpdated = GetProjectIdsToBeUpdated(requested);
+
+        var policiesToBeDeleted =
+            CreatePolicyUpdates(ProjectGrantedPolicies, projectIdsToBeDeleted, AccessPolicyOperation.Delete);
+        var policiesToBeCreated = CreatePolicyUpdates(requested.ProjectGrantedPolicies, projectIdsToBeCreated,
+            AccessPolicyOperation.Create);
+        var policiesToBeUpdated = CreatePolicyUpdates(requested.ProjectGrantedPolicies, projectIdsToBeUpdated,
+            AccessPolicyOperation.Update);
+
+        return new ServiceAccountGrantedPoliciesUpdates
+        {
+            OrganizationId = OrganizationId,
+            ServiceAccountId = ServiceAccountId,
+            ProjectGrantedPolicyUpdates =
+                policiesToBeDeleted.Concat(policiesToBeCreated).Concat(policiesToBeUpdated)
+        };
+    }
+
+    private static List<ServiceAccountProjectAccessPolicyUpdate> CreatePolicyUpdates(
+        IEnumerable<ServiceAccountProjectAccessPolicy> policies, List<Guid> projectIds,
+        AccessPolicyOperation operation) =>
+        policies
+            .Where(ap => projectIds.Contains(ap.GrantedProjectId!.Value))
+            .Select(ap => new ServiceAccountProjectAccessPolicyUpdate { Operation = operation, AccessPolicy = ap })
+            .ToList();
+
+    private List<Guid> GetProjectIdsToBeUpdated(ServiceAccountGrantedPolicies requested) =>
+        ProjectGrantedPolicies
+            .Where(currentAp => requested.ProjectGrantedPolicies.Any(requestedAp =>
+                requestedAp.GrantedProjectId == currentAp.GrantedProjectId &&
+                requestedAp.ServiceAccountId == currentAp.ServiceAccountId &&
+                (requestedAp.Write != currentAp.Write || requestedAp.Read != currentAp.Read)))
+            .Select(ap => ap.GrantedProjectId!.Value)
+            .ToList();
+}
+
+public class ServiceAccountGrantedPoliciesUpdates
+{
+    public Guid ServiceAccountId { get; set; }
+    public Guid OrganizationId { get; set; }
+
+    public IEnumerable<ServiceAccountProjectAccessPolicyUpdate> ProjectGrantedPolicyUpdates { get; set; } =
+        new List<ServiceAccountProjectAccessPolicyUpdate>();
+}
--- a/src/Core/SecretsManager/Models/Data/ServiceAccountGrantedPoliciesPermissionDetails.cs
+++ b/src/Core/SecretsManager/Models/Data/ServiceAccountGrantedPoliciesPermissionDetails.cs
@ -0,0 +1,17 @@
+#nullable enable
+using Bit.Core.SecretsManager.Entities;
+
+namespace Bit.Core.SecretsManager.Models.Data;
+
+public class ServiceAccountGrantedPoliciesPermissionDetails
+{
+    public Guid ServiceAccountId { get; set; }
+    public Guid OrganizationId { get; set; }
+    public required IEnumerable<ServiceAccountProjectAccessPolicyPermissionDetails> ProjectGrantedPolicies { get; set; }
+}
+
+public class ServiceAccountProjectAccessPolicyPermissionDetails
+{
+    public required ServiceAccountProjectAccessPolicy AccessPolicy { get; set; }
+    public bool HasPermission { get; set; }
+}
--- a/src/Core/SecretsManager/Queries/AccessPolicies/Interfaces/IServiceAccountGrantedPolicyUpdatesQuery.cs
+++ b/src/Core/SecretsManager/Queries/AccessPolicies/Interfaces/IServiceAccountGrantedPolicyUpdatesQuery.cs
@ -0,0 +1,9 @@
+#nullable enable
+using Bit.Core.SecretsManager.Models.Data;
+
+namespace Bit.Core.SecretsManager.Queries.AccessPolicies.Interfaces;
+
+public interface IServiceAccountGrantedPolicyUpdatesQuery
+{
+    Task<ServiceAccountGrantedPoliciesUpdates> GetAsync(ServiceAccountGrantedPolicies grantedPolicies);
+}
--- a/src/Core/SecretsManager/Repositories/IAccessPolicyRepository.cs
+++ b/src/Core/SecretsManager/Repositories/IAccessPolicyRepository.cs
@ -11,8 +11,6 @@ public interface IAccessPolicyRepository
    Task<bool> AccessPolicyExists(BaseAccessPolicy baseAccessPolicy);
    Task<BaseAccessPolicy?> GetByIdAsync(Guid id);
    Task<IEnumerable<BaseAccessPolicy>> GetManyByGrantedProjectIdAsync(Guid id, Guid userId);
-    Task<IEnumerable<BaseAccessPolicy>> GetManyByServiceAccountIdAsync(Guid id, Guid userId,
-        AccessClientType accessType);
    Task ReplaceAsync(BaseAccessPolicy baseAccessPolicy);
    Task DeleteAsync(Guid id);
    Task<IEnumerable<BaseAccessPolicy>> GetPeoplePoliciesByGrantedProjectIdAsync(Guid id, Guid userId);
@ -20,4 +18,8 @@ public interface IAccessPolicyRepository
    Task<PeopleGrantees> GetPeopleGranteesAsync(Guid organizationId, Guid currentUserId);
    Task<IEnumerable<BaseAccessPolicy>> GetPeoplePoliciesByGrantedServiceAccountIdAsync(Guid id, Guid userId);
    Task<IEnumerable<BaseAccessPolicy>> ReplaceServiceAccountPeopleAsync(ServiceAccountPeopleAccessPolicies peopleAccessPolicies, Guid userId);
+    Task<ServiceAccountGrantedPolicies?> GetServiceAccountGrantedPoliciesAsync(Guid serviceAccountId);
+    Task<ServiceAccountGrantedPoliciesPermissionDetails?> GetServiceAccountGrantedPoliciesPermissionDetailsAsync(
+        Guid serviceAccountId, Guid userId, AccessClientType accessClientType);
+    Task UpdateServiceAccountGrantedPoliciesAsync(ServiceAccountGrantedPoliciesUpdates policyUpdates);
 }
--- a/src/Core/SecretsManager/Repositories/IProjectRepository.cs
+++ b/src/Core/SecretsManager/Repositories/IProjectRepository.cs
@ -17,4 +17,6 @@ public interface IProjectRepository
    Task<(bool Read, bool Write)> AccessToProjectAsync(Guid id, Guid userId, AccessClientType accessType);
    Task<bool> ProjectsAreInOrganization(List<Guid> projectIds, Guid organizationId);
    Task<int> GetProjectCountByOrganizationIdAsync(Guid organizationId);
+    Task<Dictionary<Guid, (bool Read, bool Write)>> AccessToProjectsAsync(IEnumerable<Guid> projectIds, Guid userId,
+        AccessClientType accessType);
 }
--- a/src/Core/SecretsManager/Repositories/Noop/NoopProjectRepository.cs
+++ b/src/Core/SecretsManager/Repositories/Noop/NoopProjectRepository.cs
@ -62,4 +62,10 @@ public class NoopProjectRepository : IProjectRepository
    {
        return Task.FromResult(0);
    }
+
+    public Task<Dictionary<Guid, (bool Read, bool Write)>> AccessToProjectsAsync(IEnumerable<Guid> projectIds,
+        Guid userId, AccessClientType accessType)
+    {
+        return Task.FromResult(null as Dictionary<Guid, (bool Read, bool Write)>);
+    }
 }