[PM-12479] - Adding group-details endpoint (#4959)

✨ Added group-details endpoint. Moved group auth handler to AdminConsole directory. --------- Co-authored-by: Matt Bishop <mbishop@bitwarden.com>
2025-06-30 23:52:50 -05:00 · 2024-11-12 11:25:36 -06:00
parent 25afd50ab4
commit f2bf9ea9f8
16 changed files with 323 additions and 225 deletions
--- a/src/Core/AdminConsole/OrganizationFeatures/Groups/Authorization/GroupAuthorizationHandler.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Groups/Authorization/GroupAuthorizationHandler.cs
@ -0,0 +1,43 @@
+#nullable enable
+using Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
+using Bit.Core.Context;
+using Bit.Core.Enums;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Groups.Authorization;
+
+public class GroupAuthorizationHandler(ICurrentContext currentContext)
+    : AuthorizationHandler<GroupOperationRequirement, OrganizationScope>
+{
+    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
+        GroupOperationRequirement requirement, OrganizationScope organizationScope)
+    {
+        var authorized = requirement switch
+        {
+            not null when requirement.Name == nameof(GroupOperations.ReadAll) =>
+                await CanReadAllAsync(organizationScope),
+            not null when requirement.Name == nameof(GroupOperations.ReadAllDetails) =>
+                await CanViewGroupDetailsAsync(organizationScope),
+            _ => false
+        };
+
+        if (requirement is not null && authorized)
+        {
+            context.Succeed(requirement);
+        }
+    }
+
+    private async Task<bool> CanReadAllAsync(OrganizationScope organizationScope) =>
+        currentContext.GetOrganization(organizationScope) is not null
+        || await currentContext.ProviderUserForOrgAsync(organizationScope);
+
+    private async Task<bool> CanViewGroupDetailsAsync(OrganizationScope organizationScope) =>
+        currentContext.GetOrganization(organizationScope) is
+    { Type: OrganizationUserType.Owner } or
+    { Type: OrganizationUserType.Admin } or
+    {
+        Permissions: { ManageGroups: true } or
+        { ManageUsers: true }
+    } ||
+        await currentContext.ProviderUserForOrgAsync(organizationScope);
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/Groups/Authorization/GroupOperations.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/Groups/Authorization/GroupOperations.cs
@ -0,0 +1,17 @@
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Groups.Authorization;
+
+public class GroupOperationRequirement : OperationAuthorizationRequirement
+{
+    public GroupOperationRequirement(string name)
+    {
+        Name = name;
+    }
+}
+
+public static class GroupOperations
+{
+    public static readonly GroupOperationRequirement ReadAll = new(nameof(ReadAll));
+    public static readonly GroupOperationRequirement ReadAllDetails = new(nameof(ReadAllDetails));
+}
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationUserUserDetailsAuthorizationHandler.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationUserUserDetailsAuthorizationHandler.cs
@ -1,4 +1,5 @@
 #nullable enable
+using Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
 using Bit.Core.Context;
 using Bit.Core.Enums;
 using Microsoft.AspNetCore.Authorization;
--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationUserUserMiniDetailsAuthorizationHandler.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationUserUserMiniDetailsAuthorizationHandler.cs
@ -1,5 +1,5 @@
-using Bit.Core.Context;
-using Bit.Core.Services;
+using Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;
+using Bit.Core.Context;
 using Microsoft.AspNetCore.Authorization;

 namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
@ -7,14 +7,10 @@ namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authoriza
 public class OrganizationUserUserMiniDetailsAuthorizationHandler :
    AuthorizationHandler<OrganizationUserUserMiniDetailsOperationRequirement, OrganizationScope>
 {
-    private readonly IApplicationCacheService _applicationCacheService;
    private readonly ICurrentContext _currentContext;

-    public OrganizationUserUserMiniDetailsAuthorizationHandler(
-        IApplicationCacheService applicationCacheService,
-        ICurrentContext currentContext)
+    public OrganizationUserUserMiniDetailsAuthorizationHandler(ICurrentContext currentContext)
    {
-        _applicationCacheService = applicationCacheService;
        _currentContext = currentContext;
    }

--- a/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationScope.cs
+++ b/src/Core/AdminConsole/OrganizationFeatures/OrganizationUsers/Authorization/OrganizationScope.cs
@ -1,6 +1,6 @@
 #nullable enable

-namespace Bit.Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Authorization;
+namespace Bit.Core.AdminConsole.OrganizationFeatures.Shared.Authorization;

 /// <summary>
 /// A typed wrapper for an organization Guid. This is used for authorization checks
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@ -143,6 +143,7 @@ public static class FeatureFlagKeys
    public const string StorageReseedRefactor = "storage-reseed-refactor";
    public const string TrialPayment = "PM-8163-trial-payment";
    public const string RemoveServerVersionHeader = "remove-server-version-header";
+    public const string SecureOrgGroupDetails = "pm-3479-secure-org-group-details";
    public const string AccessIntelligence = "pm-13227-access-intelligence";
    public const string VerifiedSsoDomainEndpoint = "pm-12337-refactor-sso-details-endpoint";
    public const string PM12275_MultiOrganizationEnterprises = "pm-12275-multi-organization-enterprises";