-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' into flexible-collections/deprecate-custom-coll…
…ection-perm
- Loading branch information
Showing
115 changed files
with
4,711 additions
and
2,674 deletions.
There are no files selected for viewing
Validating CODEOWNERS rules …
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
89 changes: 89 additions & 0 deletions
89
...rizationHandlers/AccessPolicies/ServiceAccountPeopleAccessPoliciesAuthorizationHandler.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
using Bit.Core.Context; | ||
using Bit.Core.Enums; | ||
using Bit.Core.SecretsManager.AuthorizationRequirements; | ||
using Bit.Core.SecretsManager.Models.Data; | ||
using Bit.Core.SecretsManager.Queries.AccessPolicies.Interfaces; | ||
using Bit.Core.SecretsManager.Queries.Interfaces; | ||
using Bit.Core.SecretsManager.Repositories; | ||
using Microsoft.AspNetCore.Authorization; | ||
|
||
namespace Bit.Commercial.Core.SecretsManager.AuthorizationHandlers.AccessPolicies; | ||
|
||
public class | ||
ServiceAccountPeopleAccessPoliciesAuthorizationHandler : AuthorizationHandler< | ||
ServiceAccountPeopleAccessPoliciesOperationRequirement, | ||
ServiceAccountPeopleAccessPolicies> | ||
{ | ||
private readonly IAccessClientQuery _accessClientQuery; | ||
private readonly ICurrentContext _currentContext; | ||
private readonly ISameOrganizationQuery _sameOrganizationQuery; | ||
private readonly IServiceAccountRepository _serviceAccountRepository; | ||
|
||
public ServiceAccountPeopleAccessPoliciesAuthorizationHandler(ICurrentContext currentContext, | ||
IAccessClientQuery accessClientQuery, | ||
ISameOrganizationQuery sameOrganizationQuery, | ||
IServiceAccountRepository serviceAccountRepository) | ||
{ | ||
_currentContext = currentContext; | ||
_accessClientQuery = accessClientQuery; | ||
_sameOrganizationQuery = sameOrganizationQuery; | ||
_serviceAccountRepository = serviceAccountRepository; | ||
} | ||
|
||
protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, | ||
ServiceAccountPeopleAccessPoliciesOperationRequirement requirement, | ||
ServiceAccountPeopleAccessPolicies resource) | ||
{ | ||
if (!_currentContext.AccessSecretsManager(resource.OrganizationId)) | ||
{ | ||
return; | ||
} | ||
|
||
// Only users and admins should be able to manipulate access policies | ||
var (accessClient, userId) = | ||
await _accessClientQuery.GetAccessClientAsync(context.User, resource.OrganizationId); | ||
if (accessClient != AccessClientType.User && accessClient != AccessClientType.NoAccessCheck) | ||
{ | ||
return; | ||
} | ||
|
||
switch (requirement) | ||
{ | ||
case not null when requirement == ServiceAccountPeopleAccessPoliciesOperations.Replace: | ||
await CanReplaceServiceAccountPeopleAsync(context, requirement, resource, accessClient, userId); | ||
break; | ||
default: | ||
throw new ArgumentException("Unsupported operation requirement type provided.", | ||
nameof(requirement)); | ||
} | ||
} | ||
|
||
private async Task CanReplaceServiceAccountPeopleAsync(AuthorizationHandlerContext context, | ||
ServiceAccountPeopleAccessPoliciesOperationRequirement requirement, ServiceAccountPeopleAccessPolicies resource, | ||
AccessClientType accessClient, Guid userId) | ||
{ | ||
var access = await _serviceAccountRepository.AccessToServiceAccountAsync(resource.Id, userId, accessClient); | ||
if (access.Write) | ||
{ | ||
if (resource.UserAccessPolicies != null && resource.UserAccessPolicies.Any()) | ||
{ | ||
var orgUserIds = resource.UserAccessPolicies.Select(ap => ap.OrganizationUserId!.Value).ToList(); | ||
if (!await _sameOrganizationQuery.OrgUsersInTheSameOrgAsync(orgUserIds, resource.OrganizationId)) | ||
{ | ||
return; | ||
} | ||
} | ||
|
||
if (resource.GroupAccessPolicies != null && resource.GroupAccessPolicies.Any()) | ||
{ | ||
var groupIds = resource.GroupAccessPolicies.Select(ap => ap.GroupId!.Value).ToList(); | ||
if (!await _sameOrganizationQuery.GroupsInTheSameOrgAsync(groupIds, resource.OrganizationId)) | ||
{ | ||
return; | ||
} | ||
} | ||
|
||
context.Succeed(requirement); | ||
} | ||
} | ||
} |
32 changes: 32 additions & 0 deletions
32
...icense/src/Commercial.Core/SecretsManager/Queries/AccessPolicies/SameOrganizationQuery.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
using Bit.Core.AdminConsole.Repositories; | ||
using Bit.Core.Repositories; | ||
using Bit.Core.SecretsManager.Queries.AccessPolicies.Interfaces; | ||
|
||
namespace Bit.Commercial.Core.SecretsManager.Queries.AccessPolicies; | ||
|
||
public class SameOrganizationQuery : ISameOrganizationQuery | ||
{ | ||
private readonly IGroupRepository _groupRepository; | ||
private readonly IOrganizationUserRepository _organizationUserRepository; | ||
|
||
public SameOrganizationQuery(IOrganizationUserRepository organizationUserRepository, | ||
IGroupRepository groupRepository) | ||
{ | ||
_organizationUserRepository = organizationUserRepository; | ||
_groupRepository = groupRepository; | ||
} | ||
|
||
public async Task<bool> OrgUsersInTheSameOrgAsync(List<Guid> organizationUserIds, Guid organizationId) | ||
{ | ||
var users = await _organizationUserRepository.GetManyAsync(organizationUserIds); | ||
return users.All(user => user.OrganizationId == organizationId) && | ||
users.Count == organizationUserIds.Count; | ||
} | ||
|
||
public async Task<bool> GroupsInTheSameOrgAsync(List<Guid> groupIds, Guid organizationId) | ||
{ | ||
var groups = await _groupRepository.GetManyByManyIds(groupIds); | ||
return groups.All(group => group.OrganizationId == organizationId) && | ||
groups.Count == groupIds.Count; | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.