[SM-495] Access Policies - Individual Service Account - Project Tab (#2697)

* New endpoints to support sa projects tab

* Refactor create; Add tests

* Add creation request limit

src/Api/SecretsManager/Controllers/AccessPoliciesController.cs

@@ -19,14 +19,15 @@ namespace Bit.Api.SecretsManager.Controllers;
 [Route("access-policies")]
 public class AccessPoliciesController : Controller
 {
+    private const int _maxBulkCreation = 15;
     private readonly IAccessPolicyRepository _accessPolicyRepository;
-    private readonly IServiceAccountRepository _serviceAccountRepository;
     private readonly ICreateAccessPoliciesCommand _createAccessPoliciesCommand;
     private readonly ICurrentContext _currentContext;
     private readonly IDeleteAccessPolicyCommand _deleteAccessPolicyCommand;
     private readonly IGroupRepository _groupRepository;
     private readonly IOrganizationUserRepository _organizationUserRepository;
     private readonly IProjectRepository _projectRepository;
+    private readonly IServiceAccountRepository _serviceAccountRepository;
     private readonly IUpdateAccessPolicyCommand _updateAccessPolicyCommand;
     private readonly IUserService _userService;
 
@@ -58,9 +59,21 @@ public class AccessPoliciesController : Controller
     public async Task<ProjectAccessPoliciesResponseModel> CreateProjectAccessPoliciesAsync([FromRoute] Guid id,
         [FromBody] AccessPoliciesCreateRequest request)
     {
-        var userId = _userService.GetProperUserId(User).Value;
+        if (request.Count() > _maxBulkCreation)
+        {
+            throw new BadRequestException($"Can process no more than {_maxBulkCreation} creation requests at once.");
+        }
+
+        var project = await _projectRepository.GetByIdAsync(id);
+        if (project == null)
+        {
+            throw new NotFoundException();
+        }
+
+        var (accessClient, userId) = await GetAccessClientTypeAsync(project.OrganizationId);
         var policies = request.ToBaseAccessPoliciesForProject(id);
-        var results = await _createAccessPoliciesCommand.CreateForProjectAsync(id, policies, userId);
+        await _createAccessPoliciesCommand.CreateManyAsync(policies, userId, accessClient);
+        var results = await _accessPolicyRepository.GetManyByGrantedProjectIdAsync(id);
         return new ProjectAccessPoliciesResponseModel(results);
     }
 
@@ -75,17 +88,31 @@ public class AccessPoliciesController : Controller
     }
 
     [HttpPost("/service-accounts/{id}/access-policies")]
-    public async Task<ServiceAccountAccessPoliciesResponseModel> CreateServiceAccountAccessPoliciesAsync([FromRoute] Guid id,
+    public async Task<ServiceAccountAccessPoliciesResponseModel> CreateServiceAccountAccessPoliciesAsync(
+        [FromRoute] Guid id,
         [FromBody] AccessPoliciesCreateRequest request)
     {
-        var userId = _userService.GetProperUserId(User).Value;
+        if (request.Count() > _maxBulkCreation)
+        {
+            throw new BadRequestException($"Can process no more than {_maxBulkCreation} creation requests at once.");
+        }
+
+        var serviceAccount = await _serviceAccountRepository.GetByIdAsync(id);
+        if (serviceAccount == null)
+        {
+            throw new NotFoundException();
+        }
+
+        var (accessClient, userId) = await GetAccessClientTypeAsync(serviceAccount.OrganizationId);
         var policies = request.ToBaseAccessPoliciesForServiceAccount(id);
-        var results = await _createAccessPoliciesCommand.CreateForServiceAccountAsync(id, policies, userId);
+        await _createAccessPoliciesCommand.CreateManyAsync(policies, userId, accessClient);
+        var results = await _accessPolicyRepository.GetManyByGrantedServiceAccountIdAsync(id);
         return new ServiceAccountAccessPoliciesResponseModel(results);
     }
 
     [HttpGet("/service-accounts/{id}/access-policies")]
-    public async Task<ServiceAccountAccessPoliciesResponseModel> GetServiceAccountAccessPoliciesAsync([FromRoute] Guid id)
+    public async Task<ServiceAccountAccessPoliciesResponseModel> GetServiceAccountAccessPoliciesAsync(
+        [FromRoute] Guid id)
     {
         var serviceAccount = await _serviceAccountRepository.GetByIdAsync(id);
         await CheckUserHasWriteAccessToServiceAccountAsync(serviceAccount);
@@ -94,6 +121,48 @@ public class AccessPoliciesController : Controller
         return new ServiceAccountAccessPoliciesResponseModel(results);
     }
 
+    [HttpGet("/service-accounts/{id}/granted-policies")]
+    public async Task<ListResponseModel<ServiceAccountProjectAccessPolicyResponseModel>>
+        GetServiceAccountGrantedPoliciesAsync([FromRoute] Guid id)
+    {
+        var serviceAccount = await _serviceAccountRepository.GetByIdAsync(id);
+        if (serviceAccount == null)
+        {
+            throw new NotFoundException();
+        }
+
+        var (accessClient, userId) = await GetAccessClientTypeAsync(serviceAccount.OrganizationId);
+        var results = await _accessPolicyRepository.GetManyByServiceAccountIdAsync(id, userId, accessClient);
+        var responses = results.Select(ap =>
+            new ServiceAccountProjectAccessPolicyResponseModel((ServiceAccountProjectAccessPolicy)ap));
+        return new ListResponseModel<ServiceAccountProjectAccessPolicyResponseModel>(responses);
+    }
+
+    [HttpPost("/service-accounts/{id}/granted-policies")]
+    public async Task<ListResponseModel<ServiceAccountProjectAccessPolicyResponseModel>>
+        CreateServiceAccountGrantedPoliciesAsync([FromRoute] Guid id,
+            [FromBody] List<GrantedAccessPolicyRequest> requests)
+    {
+        if (requests.Count > _maxBulkCreation)
+        {
+            throw new BadRequestException($"Can process no more than {_maxBulkCreation} creation requests at once.");
+        }
+
+        var serviceAccount = await _serviceAccountRepository.GetByIdAsync(id);
+        if (serviceAccount == null)
+        {
+            throw new NotFoundException();
+        }
+
+        var (accessClient, userId) = await GetAccessClientTypeAsync(serviceAccount.OrganizationId);
+        var policies = requests.Select(request => request.ToServiceAccountProjectAccessPolicy(id));
+        var results =
+            await _createAccessPoliciesCommand.CreateManyAsync(new List<BaseAccessPolicy>(policies), userId, accessClient);
+        var responses = results.Select(ap =>
+            new ServiceAccountProjectAccessPolicyResponseModel((ServiceAccountProjectAccessPolicy)ap));
+        return new ListResponseModel<ServiceAccountProjectAccessPolicyResponseModel>(responses);
+    }
+
     [HttpPut("{id}")]
     public async Task<BaseAccessPolicyResponseModel> UpdateAccessPolicyAsync([FromRoute] Guid id,
         [FromBody] AccessPolicyUpdateRequest request)
@@ -104,9 +173,11 @@ public class AccessPoliciesController : Controller
         return result switch
         {
             UserProjectAccessPolicy accessPolicy => new UserProjectAccessPolicyResponseModel(accessPolicy),
-            UserServiceAccountAccessPolicy accessPolicy => new UserServiceAccountAccessPolicyResponseModel(accessPolicy),
+            UserServiceAccountAccessPolicy accessPolicy =>
+                new UserServiceAccountAccessPolicyResponseModel(accessPolicy),
             GroupProjectAccessPolicy accessPolicy => new GroupProjectAccessPolicyResponseModel(accessPolicy),
-            GroupServiceAccountAccessPolicy accessPolicy => new GroupServiceAccountAccessPolicyResponseModel(accessPolicy),
+            GroupServiceAccountAccessPolicy accessPolicy => new GroupServiceAccountAccessPolicyResponseModel(
+                accessPolicy),
             ServiceAccountProjectAccessPolicy accessPolicy => new ServiceAccountProjectAccessPolicyResponseModel(
                 accessPolicy),
             _ => throw new ArgumentException("Unsupported access policy type provided."),
@@ -121,7 +192,8 @@ public class AccessPoliciesController : Controller
     }
 
     [HttpGet("/organizations/{id}/access-policies/people/potential-grantees")]
-    public async Task<ListResponseModel<PotentialGranteeResponseModel>> GetPeoplePotentialGranteesAsync([FromRoute] Guid id)
+    public async Task<ListResponseModel<PotentialGranteeResponseModel>> GetPeoplePotentialGranteesAsync(
+        [FromRoute] Guid id)
     {
         if (!_currentContext.AccessSecretsManager(id))
         {
@@ -141,16 +213,10 @@ public class AccessPoliciesController : Controller
     }
 
     [HttpGet("/organizations/{id}/access-policies/service-accounts/potential-grantees")]
-    public async Task<ListResponseModel<PotentialGranteeResponseModel>> GetServiceAccountsPotentialGranteesAsync([FromRoute] Guid id)
+    public async Task<ListResponseModel<PotentialGranteeResponseModel>> GetServiceAccountsPotentialGranteesAsync(
+        [FromRoute] Guid id)
     {
-        if (!_currentContext.AccessSecretsManager(id))
-        {
-            throw new NotFoundException();
-        }
-
-        var userId = _userService.GetProperUserId(User).Value;
-        var orgAdmin = await _currentContext.OrganizationAdmin(id);
-        var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
+        var (accessClient, userId) = await GetAccessClientTypeAsync(id);
 
         var serviceAccounts =
             await _serviceAccountRepository.GetManyByOrganizationIdWriteAccessAsync(id,
@@ -162,17 +228,30 @@ public class AccessPoliciesController : Controller
         return new ListResponseModel<PotentialGranteeResponseModel>(serviceAccountResponses);
     }
 
+    [HttpGet("/organizations/{id}/access-policies/projects/potential-grantees")]
+    public async Task<ListResponseModel<PotentialGranteeResponseModel>> GetProjectPotentialGranteesAsync(
+        [FromRoute] Guid id)
+    {
+        var (accessClient, userId) = await GetAccessClientTypeAsync(id);
+
+        var projects =
+            await _projectRepository.GetManyByOrganizationIdWriteAccessAsync(id,
+                userId,
+                accessClient);
+        var projectResponses =
+            projects.Select(project => new PotentialGranteeResponseModel(project));
+
+        return new ListResponseModel<PotentialGranteeResponseModel>(projectResponses);
+    }
+
     private async Task CheckUserHasWriteAccessToProjectAsync(Project project)
     {
-        if (project == null || !_currentContext.AccessSecretsManager(project.OrganizationId))
+        if (project == null)
         {
             throw new NotFoundException();
         }
 
-        var userId = _userService.GetProperUserId(User).Value;
-        var orgAdmin = await _currentContext.OrganizationAdmin(project.OrganizationId);
-        var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
-
+        var (accessClient, userId) = await GetAccessClientTypeAsync(project.OrganizationId);
         var hasAccess = accessClient switch
         {
             AccessClientType.NoAccessCheck => true,
@@ -188,18 +267,17 @@ public class AccessPoliciesController : Controller
 
     private async Task CheckUserHasWriteAccessToServiceAccountAsync(ServiceAccount serviceAccount)
     {
-        if (serviceAccount == null || !_currentContext.AccessSecretsManager(serviceAccount.OrganizationId))
+        if (serviceAccount == null)
         {
             throw new NotFoundException();
         }
-        var userId = _userService.GetProperUserId(User).Value;
-        var orgAdmin = await _currentContext.OrganizationAdmin(serviceAccount.OrganizationId);
-        var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
 
+        var (accessClient, userId) = await GetAccessClientTypeAsync(serviceAccount.OrganizationId);
         var hasAccess = accessClient switch
         {
             AccessClientType.NoAccessCheck => true,
-            AccessClientType.User => await _serviceAccountRepository.UserHasWriteAccessToServiceAccount(serviceAccount.Id, userId),
+            AccessClientType.User => await _serviceAccountRepository.UserHasWriteAccessToServiceAccount(
+                serviceAccount.Id, userId),
             _ => false,
         };
 
@@ -208,4 +286,17 @@ public class AccessPoliciesController : Controller
             throw new NotFoundException();
         }
     }
+
+    private async Task<(AccessClientType AccessClientType, Guid UserId)> GetAccessClientTypeAsync(Guid organizationId)
+    {
+        if (!_currentContext.AccessSecretsManager(organizationId))
+        {
+            throw new NotFoundException();
+        }
+
+        var userId = _userService.GetProperUserId(User).Value;
+        var orgAdmin = await _currentContext.OrganizationAdmin(organizationId);
+        var accessClient = AccessClientHelper.ToAccessClient(_currentContext.ClientType, orgAdmin);
+        return (accessClient, userId);
+    }
 }

src/Api/SecretsManager/Models/Request/AccessPoliciesCreateRequest.cs

@@ -72,6 +72,26 @@ public class AccessPoliciesCreateRequest
         }
         return policies;
     }
+
+    public int Count()
+    {
+        var total = 0;
+
+        if (UserAccessPolicyRequests != null)
+        {
+            total += UserAccessPolicyRequests.Count();
+        }
+        if (GroupAccessPolicyRequests != null)
+        {
+            total += GroupAccessPolicyRequests.Count();
+        }
+        if (ServiceAccountAccessPolicyRequests != null)
+        {
+            total += ServiceAccountAccessPolicyRequests.Count();
+        }
+
+        return total;
+    }
 }
 
 public class AccessPolicyRequest

src/Api/SecretsManager/Models/Request/GrantedAccessPolicyRequest.cs

@@ -0,0 +1,25 @@
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.SecretsManager.Entities;
+
+namespace Bit.Api.SecretsManager.Models.Request;
+
+public class GrantedAccessPolicyRequest
+{
+    [Required]
+    public Guid GrantedId { get; set; }
+
+    [Required]
+    public bool Read { get; set; }
+
+    [Required]
+    public bool Write { get; set; }
+
+    public ServiceAccountProjectAccessPolicy ToServiceAccountProjectAccessPolicy(Guid serviceAccountId) =>
+        new()
+        {
+            ServiceAccountId = serviceAccountId,
+            GrantedProjectId = GrantedId,
+            Read = Read,
+            Write = Write,
+        };
+}

src/Api/SecretsManager/Models/Response/AccessPolicyResponseModel.cs

@@ -115,6 +115,7 @@ public class ServiceAccountProjectAccessPolicyResponseModel : BaseAccessPolicyRe
         ServiceAccountId = accessPolicy.ServiceAccountId;
         GrantedProjectId = accessPolicy.GrantedProjectId;
         ServiceAccountName = accessPolicy.ServiceAccount?.Name;
+        GrantedProjectName = accessPolicy.GrantedProject?.Name;
     }
 
     public ServiceAccountProjectAccessPolicyResponseModel()
@@ -125,4 +126,5 @@ public class ServiceAccountProjectAccessPolicyResponseModel : BaseAccessPolicyRe
     public Guid? ServiceAccountId { get; set; }
     public string? ServiceAccountName { get; set; }
     public Guid? GrantedProjectId { get; set; }
+    public string? GrantedProjectName { get; set; }
 }

src/Api/SecretsManager/Models/Response/PotentialGranteeResponseModel.cs

@@ -49,6 +49,19 @@ public class PotentialGranteeResponseModel : ResponseModel
         Type = "serviceAccount";
     }
 
+    public PotentialGranteeResponseModel(Project project)
+        : base(_objectName)
+    {
+        if (project == null)
+        {
+            throw new ArgumentNullException(nameof(project));
+        }
+
+        Id = project.Id.ToString();
+        Name = project.Name;
+        Type = "project";
+    }
+
     public PotentialGranteeResponseModel() : base(_objectName)
     {
     }