mirror of
https://github.com/bitwarden/server.git
synced 2025-07-01 08:02:49 -05:00
5dc3ca85c3
* [AC-1174] Introduce BulkAuthorizationHandler.cs * [AC-1174] Introduce CollectionUserAuthorizationHandler * [AC-1174] Add CreateForNewCollection CollectionUser requirement * [AC-1174] Add some more details to CollectionCustomization * [AC-1174] Formatting * [AC-1174] Add CollectionGroupOperation.cs * [AC-1174] Introduce CollectionGroupAuthorizationHandler.cs * [AC-1174] Cleanup CollectionFixture customization Implement and use re-usable extension method to support seeded Guids * [AC-1174] Introduce WithValueFromList AutoFixtureExtensions Modify CollectionCustomization to use multiple organization Ids for auto generated test data * [AC-1174] Simplify CollectionUserAuthorizationHandler.cs Modify the authorization handler to only perform authorization logic. Validation logic will need to be handled by any calling commands/controllers instead. * [AC-1174] Introduce shared CollectionAccessAuthorizationHandlerBase A shared base authorization handler was created for both CollectionUser and CollectionGroup resources, as they share the same underlying management authorization logic. * [AC-1174] Update CollectionUserAuthorizationHandler and CollectionGroupAuthorizationHandler to use the new CollectionAccessAuthorizationHandlerBase class * [AC-1174] Formatting * [AC-1174] Cleanup typo and redundant ToList() call * [AC-1174] Add check for provider users * [AC-1174] Reduce nested loops * [AC-1174] Introduce ICollectionAccess.cs * [AC-1174] Remove individual CollectionGroup and CollectionUser auth handlers and use base class instead * [AC-1174] Tweak unit test to fail minimally * [AC-1174] Reorganize authorization handlers in Core project * [AC-1174] Introduce new AddCoreAuthorizationHandlers() extension method * [AC-1174] Move CollectionAccessAuthorizationHandler into Api project * [AC-1174] Move CollectionFixture to Vault folder * [AC-1174] Rename operation to CreateUpdateDelete * [AC-1174] Require single organization for collection access authorization handler - Add requirement that all target collections must belong to the same organization - Simplify logic related to multiple organizations - Update tests and helpers - Use ToHashSet to improve lookup time * [AC-1174] Fix null reference exception * [AC-1174] Throw bad request exception when collections belong to different organizations * [AC-1174] Switch to CollectionAuthorizationHandler instead of CollectionAccessAuthorizationHandler to reduce complexity
91 lines
3.5 KiB
C#
91 lines
3.5 KiB
C#
using Bit.Core.Context;
|
|
using Bit.Core.Entities;
|
|
using Bit.Core.Enums;
|
|
using Bit.Core.Exceptions;
|
|
using Bit.Core.Repositories;
|
|
using Bit.Core.Utilities;
|
|
using Microsoft.AspNetCore.Authorization;
|
|
|
|
namespace Bit.Api.Vault.AuthorizationHandlers;
|
|
|
|
public class CollectionAuthorizationHandler : BulkAuthorizationHandler<CollectionOperationRequirement, Collection>
|
|
{
|
|
private readonly ICurrentContext _currentContext;
|
|
private readonly ICollectionRepository _collectionRepository;
|
|
private readonly IOrganizationUserRepository _organizationUserRepository;
|
|
|
|
public CollectionAuthorizationHandler(ICurrentContext currentContext, ICollectionRepository collectionRepository, IOrganizationUserRepository organizationUserRepository)
|
|
{
|
|
_currentContext = currentContext;
|
|
_collectionRepository = collectionRepository;
|
|
_organizationUserRepository = organizationUserRepository;
|
|
}
|
|
|
|
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, CollectionOperationRequirement requirement,
|
|
ICollection<Collection> resources)
|
|
{
|
|
switch (requirement)
|
|
{
|
|
case not null when requirement == CollectionOperation.ModifyAccess:
|
|
await CanManageCollectionAccessAsync(context, requirement, resources);
|
|
break;
|
|
}
|
|
}
|
|
|
|
/// <summary>
|
|
/// Ensures the acting user is allowed to manage access permissions for the target collections.
|
|
/// </summary>
|
|
private async Task CanManageCollectionAccessAsync(AuthorizationHandlerContext context, IAuthorizationRequirement requirement, ICollection<Collection> targetCollections)
|
|
{
|
|
if (!_currentContext.UserId.HasValue)
|
|
{
|
|
context.Fail();
|
|
return;
|
|
}
|
|
|
|
var targetOrganizationId = targetCollections.First().OrganizationId;
|
|
|
|
// Ensure all target collections belong to the same organization
|
|
if (targetCollections.Any(tc => tc.OrganizationId != targetOrganizationId))
|
|
{
|
|
throw new BadRequestException("Requested collections must belong to the same organization.");
|
|
}
|
|
|
|
var org = (await _currentContext.OrganizationMembershipAsync(_organizationUserRepository, _currentContext.UserId.Value))
|
|
.FirstOrDefault(o => targetOrganizationId == o.Id);
|
|
|
|
// Acting user is not a member of the target organization, fail
|
|
if (org == null)
|
|
{
|
|
context.Fail();
|
|
return;
|
|
}
|
|
|
|
// Owners, Admins, Providers, and users with EditAnyCollection permission can always manage collection access
|
|
if (
|
|
org.Permissions is { EditAnyCollection: true } ||
|
|
org.Type is OrganizationUserType.Admin or OrganizationUserType.Owner ||
|
|
await _currentContext.ProviderUserForOrgAsync(org.Id))
|
|
{
|
|
context.Succeed(requirement);
|
|
return;
|
|
}
|
|
|
|
// List of collection Ids the acting user is allowed to manage
|
|
var manageableCollectionIds =
|
|
(await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value))
|
|
.Where(c => c.Manage && c.OrganizationId == targetOrganizationId)
|
|
.Select(c => c.Id)
|
|
.ToHashSet();
|
|
|
|
// The acting user does not have permission to manage all target collections, fail
|
|
if (targetCollections.Any(tc => !manageableCollectionIds.Contains(tc.Id)))
|
|
{
|
|
context.Fail();
|
|
return;
|
|
}
|
|
|
|
context.Succeed(requirement);
|
|
}
|
|
}
|