[SM-910] Add service account granted policies management endpoints (#3736)

* Add the ability to get multi projects access

* Add access policy helper + tests

* Add new data/request models

* Add access policy operations to repo

* Add authz handler for new operations

* Add new controller endpoints

* add updating service account revision

src/Core/SecretsManager/AuthorizationRequirements/ServiceAccountGrantedPoliciesOperationRequirement.cs

@@ -0,0 +1,14 @@
+#nullable enable
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+
+namespace Bit.Core.SecretsManager.AuthorizationRequirements;
+
+public class ServiceAccountGrantedPoliciesOperationRequirement : OperationAuthorizationRequirement
+{
+
+}
+
+public static class ServiceAccountGrantedPoliciesOperations
+{
+    public static readonly ServiceAccountGrantedPoliciesOperationRequirement Updates = new() { Name = nameof(Updates) };
+}

src/Core/SecretsManager/Commands/AccessPolicies/Interfaces/IUpdateServiceAccountGrantedPoliciesCommand.cs

@@ -0,0 +1,9 @@
+#nullable enable
+using Bit.Core.SecretsManager.Models.Data;
+
+namespace Bit.Core.SecretsManager.Commands.AccessPolicies.Interfaces;
+
+public interface IUpdateServiceAccountGrantedPoliciesCommand
+{
+    Task UpdateAsync(ServiceAccountGrantedPoliciesUpdates grantedPoliciesUpdates);
+}

src/Core/SecretsManager/Enums/AccessPolicies/AccessPolicyOperation.cs

@@ -0,0 +1,8 @@
+namespace Bit.Core.SecretsManager.Enums.AccessPolicies;
+
+public enum AccessPolicyOperation
+{
+    Create,
+    Update,
+    Delete
+}

src/Core/SecretsManager/Models/Data/AccessPolicyUpdates/ServiceAccountProjectAccessPolicyUpdate.cs

@@ -0,0 +1,11 @@
+#nullable enable
+using Bit.Core.SecretsManager.Entities;
+using Bit.Core.SecretsManager.Enums.AccessPolicies;
+
+namespace Bit.Core.SecretsManager.Models.Data.AccessPolicyUpdates;
+
+public class ServiceAccountProjectAccessPolicyUpdate
+{
+    public AccessPolicyOperation Operation { get; set; }
+    public required ServiceAccountProjectAccessPolicy AccessPolicy { get; set; }
+}

src/Core/SecretsManager/Models/Data/ServiceAccountGrantedPolicies.cs

@@ -0,0 +1,83 @@
+#nullable enable
+using Bit.Core.SecretsManager.Entities;
+using Bit.Core.SecretsManager.Enums.AccessPolicies;
+using Bit.Core.SecretsManager.Models.Data.AccessPolicyUpdates;
+
+namespace Bit.Core.SecretsManager.Models.Data;
+
+public class ServiceAccountGrantedPolicies
+{
+    public ServiceAccountGrantedPolicies(Guid serviceAccountId, IEnumerable<BaseAccessPolicy> policies)
+    {
+        ServiceAccountId = serviceAccountId;
+        ProjectGrantedPolicies = policies.Where(x => x is ServiceAccountProjectAccessPolicy)
+            .Cast<ServiceAccountProjectAccessPolicy>().ToList();
+
+        var serviceAccount = ProjectGrantedPolicies.FirstOrDefault()?.ServiceAccount;
+        if (serviceAccount != null)
+        {
+            OrganizationId = serviceAccount.OrganizationId;
+        }
+    }
+
+    public ServiceAccountGrantedPolicies()
+    {
+    }
+
+    public Guid ServiceAccountId { get; set; }
+    public Guid OrganizationId { get; set; }
+
+    public IEnumerable<ServiceAccountProjectAccessPolicy> ProjectGrantedPolicies { get; set; } =
+        new List<ServiceAccountProjectAccessPolicy>();
+
+    public ServiceAccountGrantedPoliciesUpdates GetPolicyUpdates(ServiceAccountGrantedPolicies requested)
+    {
+        var currentProjectIds = ProjectGrantedPolicies.Select(p => p.GrantedProjectId!.Value).ToList();
+        var requestedProjectIds = requested.ProjectGrantedPolicies.Select(p => p.GrantedProjectId!.Value).ToList();
+
+        var projectIdsToBeDeleted = currentProjectIds.Except(requestedProjectIds).ToList();
+        var projectIdsToBeCreated = requestedProjectIds.Except(currentProjectIds).ToList();
+        var projectIdsToBeUpdated = GetProjectIdsToBeUpdated(requested);
+
+        var policiesToBeDeleted =
+            CreatePolicyUpdates(ProjectGrantedPolicies, projectIdsToBeDeleted, AccessPolicyOperation.Delete);
+        var policiesToBeCreated = CreatePolicyUpdates(requested.ProjectGrantedPolicies, projectIdsToBeCreated,
+            AccessPolicyOperation.Create);
+        var policiesToBeUpdated = CreatePolicyUpdates(requested.ProjectGrantedPolicies, projectIdsToBeUpdated,
+            AccessPolicyOperation.Update);
+
+        return new ServiceAccountGrantedPoliciesUpdates
+        {
+            OrganizationId = OrganizationId,
+            ServiceAccountId = ServiceAccountId,
+            ProjectGrantedPolicyUpdates =
+                policiesToBeDeleted.Concat(policiesToBeCreated).Concat(policiesToBeUpdated)
+        };
+    }
+
+    private static List<ServiceAccountProjectAccessPolicyUpdate> CreatePolicyUpdates(
+        IEnumerable<ServiceAccountProjectAccessPolicy> policies, List<Guid> projectIds,
+        AccessPolicyOperation operation) =>
+        policies
+            .Where(ap => projectIds.Contains(ap.GrantedProjectId!.Value))
+            .Select(ap => new ServiceAccountProjectAccessPolicyUpdate { Operation = operation, AccessPolicy = ap })
+            .ToList();
+
+    private List<Guid> GetProjectIdsToBeUpdated(ServiceAccountGrantedPolicies requested) =>
+        ProjectGrantedPolicies
+            .Where(currentAp => requested.ProjectGrantedPolicies.Any(requestedAp =>
+                requestedAp.GrantedProjectId == currentAp.GrantedProjectId &&
+                requestedAp.ServiceAccountId == currentAp.ServiceAccountId &&
+                (requestedAp.Write != currentAp.Write || requestedAp.Read != currentAp.Read)))
+            .Select(ap => ap.GrantedProjectId!.Value)
+            .ToList();
+}
+
+public class ServiceAccountGrantedPoliciesUpdates
+{
+    public Guid ServiceAccountId { get; set; }
+    public Guid OrganizationId { get; set; }
+
+    public IEnumerable<ServiceAccountProjectAccessPolicyUpdate> ProjectGrantedPolicyUpdates { get; set; } =
+        new List<ServiceAccountProjectAccessPolicyUpdate>();
+}

src/Core/SecretsManager/Models/Data/ServiceAccountGrantedPoliciesPermissionDetails.cs

@@ -0,0 +1,17 @@
+#nullable enable
+using Bit.Core.SecretsManager.Entities;
+
+namespace Bit.Core.SecretsManager.Models.Data;
+
+public class ServiceAccountGrantedPoliciesPermissionDetails
+{
+    public Guid ServiceAccountId { get; set; }
+    public Guid OrganizationId { get; set; }
+    public required IEnumerable<ServiceAccountProjectAccessPolicyPermissionDetails> ProjectGrantedPolicies { get; set; }
+}
+
+public class ServiceAccountProjectAccessPolicyPermissionDetails
+{
+    public required ServiceAccountProjectAccessPolicy AccessPolicy { get; set; }
+    public bool HasPermission { get; set; }
+}

src/Core/SecretsManager/Queries/AccessPolicies/Interfaces/IServiceAccountGrantedPolicyUpdatesQuery.cs

@@ -0,0 +1,9 @@
+#nullable enable
+using Bit.Core.SecretsManager.Models.Data;
+
+namespace Bit.Core.SecretsManager.Queries.AccessPolicies.Interfaces;
+
+public interface IServiceAccountGrantedPolicyUpdatesQuery
+{
+    Task<ServiceAccountGrantedPoliciesUpdates> GetAsync(ServiceAccountGrantedPolicies grantedPolicies);
+}

src/Core/SecretsManager/Repositories/IAccessPolicyRepository.cs

@@ -11,8 +11,6 @@ public interface IAccessPolicyRepository
     Task<bool> AccessPolicyExists(BaseAccessPolicy baseAccessPolicy);
     Task<BaseAccessPolicy?> GetByIdAsync(Guid id);
     Task<IEnumerable<BaseAccessPolicy>> GetManyByGrantedProjectIdAsync(Guid id, Guid userId);
-    Task<IEnumerable<BaseAccessPolicy>> GetManyByServiceAccountIdAsync(Guid id, Guid userId,
-        AccessClientType accessType);
     Task ReplaceAsync(BaseAccessPolicy baseAccessPolicy);
     Task DeleteAsync(Guid id);
     Task<IEnumerable<BaseAccessPolicy>> GetPeoplePoliciesByGrantedProjectIdAsync(Guid id, Guid userId);
@@ -20,4 +18,8 @@ public interface IAccessPolicyRepository
     Task<PeopleGrantees> GetPeopleGranteesAsync(Guid organizationId, Guid currentUserId);
     Task<IEnumerable<BaseAccessPolicy>> GetPeoplePoliciesByGrantedServiceAccountIdAsync(Guid id, Guid userId);
     Task<IEnumerable<BaseAccessPolicy>> ReplaceServiceAccountPeopleAsync(ServiceAccountPeopleAccessPolicies peopleAccessPolicies, Guid userId);
+    Task<ServiceAccountGrantedPolicies?> GetServiceAccountGrantedPoliciesAsync(Guid serviceAccountId);
+    Task<ServiceAccountGrantedPoliciesPermissionDetails?> GetServiceAccountGrantedPoliciesPermissionDetailsAsync(
+        Guid serviceAccountId, Guid userId, AccessClientType accessClientType);
+    Task UpdateServiceAccountGrantedPoliciesAsync(ServiceAccountGrantedPoliciesUpdates policyUpdates);
 }

src/Core/SecretsManager/Repositories/IProjectRepository.cs

@@ -17,4 +17,6 @@ public interface IProjectRepository
     Task<(bool Read, bool Write)> AccessToProjectAsync(Guid id, Guid userId, AccessClientType accessType);
     Task<bool> ProjectsAreInOrganization(List<Guid> projectIds, Guid organizationId);
     Task<int> GetProjectCountByOrganizationIdAsync(Guid organizationId);
+    Task<Dictionary<Guid, (bool Read, bool Write)>> AccessToProjectsAsync(IEnumerable<Guid> projectIds, Guid userId,
+        AccessClientType accessType);
 }

src/Core/SecretsManager/Repositories/Noop/NoopProjectRepository.cs

@@ -62,4 +62,10 @@ public class NoopProjectRepository : IProjectRepository
     {
         return Task.FromResult(0);
     }
+
+    public Task<Dictionary<Guid, (bool Read, bool Write)>> AccessToProjectsAsync(IEnumerable<Guid> projectIds,
+        Guid userId, AccessClientType accessType)
+    {
+        return Task.FromResult(null as Dictionary<Guid, (bool Read, bool Write)>);
+    }
 }