[PM-11123] Service layer for Notification Center (#4741)

* PM-11123: Service layer * PM-11123: Service layer for Notification Center * PM-11123: Throw error on unsupported requirement * PM-11123: Missing await * PM-11123: Cleanup * PM-11123: Unit Test coverage * PM-11123: Flipping the authorization logic to be exact match of fail, formatting * PM-11123: Async warning * PM-11123: Using AuthorizeOrThrowAsync, removal of redundant set new id * PM-11123: UT typo * PM-11123: UT fix
2025-07-08 19:34:09 -05:00 · 2024-10-02 19:23:19 +02:00
parent 9cb99298fc
commit f3f81deb98
29 changed files with 1918 additions and 0 deletions
--- a/src/Core/NotificationCenter/Authorization/NotificationAuthorizationHandler.cs
+++ b/src/Core/NotificationCenter/Authorization/NotificationAuthorizationHandler.cs
@ -0,0 +1,68 @@
+#nullable enable
+using Bit.Core.Context;
+using Bit.Core.NotificationCenter.Entities;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Core.NotificationCenter.Authorization;
+
+public class NotificationAuthorizationHandler : AuthorizationHandler<NotificationOperationsRequirement, Notification>
+{
+    private readonly ICurrentContext _currentContext;
+
+    public NotificationAuthorizationHandler(ICurrentContext currentContext)
+    {
+        _currentContext = currentContext;
+    }
+
+    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context,
+        NotificationOperationsRequirement requirement,
+        Notification notification)
+    {
+        if (!_currentContext.UserId.HasValue)
+        {
+            return;
+        }
+
+        var authorized = requirement switch
+        {
+            not null when requirement == NotificationOperations.Read => CanRead(notification),
+            not null when requirement == NotificationOperations.Create => await CanCreate(notification),
+            not null when requirement == NotificationOperations.Update => await CanUpdate(notification),
+            _ => throw new ArgumentException("Unsupported operation requirement type provided.", nameof(requirement))
+        };
+
+        if (authorized)
+        {
+            context.Succeed(requirement);
+        }
+    }
+
+    private bool CanRead(Notification notification)
+    {
+        var userMatching = !notification.UserId.HasValue || notification.UserId.Value == _currentContext.UserId!.Value;
+        var organizationMatching = !notification.OrganizationId.HasValue ||
+                                   _currentContext.GetOrganization(notification.OrganizationId.Value) != null;
+
+        return notification.Global || (userMatching && organizationMatching);
+    }
+
+    private async Task<bool> CanCreate(Notification notification)
+    {
+        var organizationPermissionsMatching = !notification.OrganizationId.HasValue ||
+                                              await _currentContext.AccessReports(notification.OrganizationId.Value);
+        var userNoOrganizationMatching = !notification.UserId.HasValue || notification.OrganizationId.HasValue ||
+                                         notification.UserId.Value == _currentContext.UserId!.Value;
+
+        return !notification.Global && organizationPermissionsMatching && userNoOrganizationMatching;
+    }
+
+    private async Task<bool> CanUpdate(Notification notification)
+    {
+        var organizationPermissionsMatching = !notification.OrganizationId.HasValue ||
+                                              await _currentContext.AccessReports(notification.OrganizationId.Value);
+        var userNoOrganizationMatching = !notification.UserId.HasValue || notification.OrganizationId.HasValue ||
+                                         notification.UserId.Value == _currentContext.UserId!.Value;
+
+        return !notification.Global && organizationPermissionsMatching && userNoOrganizationMatching;
+    }
+}
--- a/src/Core/NotificationCenter/Authorization/NotificationOperations.cs
+++ b/src/Core/NotificationCenter/Authorization/NotificationOperations.cs
@ -0,0 +1,19 @@
+#nullable enable
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+
+namespace Bit.Core.NotificationCenter.Authorization;
+
+public class NotificationOperationsRequirement : OperationAuthorizationRequirement
+{
+    public NotificationOperationsRequirement(string name)
+    {
+        Name = name;
+    }
+}
+
+public static class NotificationOperations
+{
+    public static readonly NotificationOperationsRequirement Read = new(nameof(Read));
+    public static readonly NotificationOperationsRequirement Create = new(nameof(Create));
+    public static readonly NotificationOperationsRequirement Update = new(nameof(Update));
+}
--- a/src/Core/NotificationCenter/Authorization/NotificationStatusAuthorizationHandler.cs
+++ b/src/Core/NotificationCenter/Authorization/NotificationStatusAuthorizationHandler.cs
@ -0,0 +1,57 @@
+#nullable enable
+using Bit.Core.Context;
+using Bit.Core.NotificationCenter.Entities;
+using Microsoft.AspNetCore.Authorization;
+
+namespace Bit.Core.NotificationCenter.Authorization;
+
+public class NotificationStatusAuthorizationHandler : AuthorizationHandler<NotificationStatusOperationsRequirement,
+    NotificationStatus>
+{
+    private readonly ICurrentContext _currentContext;
+
+    public NotificationStatusAuthorizationHandler(ICurrentContext currentContext)
+    {
+        _currentContext = currentContext;
+    }
+
+    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context,
+        NotificationStatusOperationsRequirement requirement,
+        NotificationStatus notificationStatus)
+    {
+        if (!_currentContext.UserId.HasValue)
+        {
+            return Task.CompletedTask;
+        }
+
+        var authorized = requirement switch
+        {
+            not null when requirement == NotificationStatusOperations.Read => CanRead(notificationStatus),
+            not null when requirement == NotificationStatusOperations.Create => CanCreate(notificationStatus),
+            not null when requirement == NotificationStatusOperations.Update => CanUpdate(notificationStatus),
+            _ => throw new ArgumentException("Unsupported operation requirement type provided.", nameof(requirement))
+        };
+
+        if (authorized)
+        {
+            context.Succeed(requirement);
+        }
+
+        return Task.CompletedTask;
+    }
+
+    private bool CanRead(NotificationStatus notificationStatus)
+    {
+        return notificationStatus.UserId == _currentContext.UserId!.Value;
+    }
+
+    private bool CanCreate(NotificationStatus notificationStatus)
+    {
+        return notificationStatus.UserId == _currentContext.UserId!.Value;
+    }
+
+    private bool CanUpdate(NotificationStatus notificationStatus)
+    {
+        return notificationStatus.UserId == _currentContext.UserId!.Value;
+    }
+}
--- a/src/Core/NotificationCenter/Authorization/NotificationStatusOperations.cs
+++ b/src/Core/NotificationCenter/Authorization/NotificationStatusOperations.cs
@ -0,0 +1,19 @@
+#nullable enable
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+
+namespace Bit.Core.NotificationCenter.Authorization;
+
+public class NotificationStatusOperationsRequirement : OperationAuthorizationRequirement
+{
+    public NotificationStatusOperationsRequirement(string name)
+    {
+        Name = name;
+    }
+}
+
+public static class NotificationStatusOperations
+{
+    public static readonly NotificationStatusOperationsRequirement Read = new(nameof(Read));
+    public static readonly NotificationStatusOperationsRequirement Create = new(nameof(Create));
+    public static readonly NotificationStatusOperationsRequirement Update = new(nameof(Update));
+}