-
Notifications
You must be signed in to change notification settings - Fork 1.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[AC-2614] Member Access Report Endpoint (#4599)
* Initial draft of moving the org user controller details method into a query * Removing comments and addressing pr items * Adding the org users query to core * Adding the member access report * Addressing some pr concerns and refactoring to be more efficient * Some minor changes to the way properties are spelled * Setting authorization to organization * Adding the permissions check for reports and comments * removing unnecessary usings * Removing ciphers controller change that was a mistake * There was a duplication issue in getting collections for users grabbing groups * Adding comments to the CreateReport method * Only get the user collections by userId * Some finaly refactoring * Adding the no group, no collection, and no perms local strings * Modifying and adding query test cases * Removing unnecessary permissions code in query * Added mapping for id and UsesKeyConnector to MemberAccessReportModel (#4681) * Moving test cases from controller fully into the query. --------- Co-authored-by: Daniel James Smith <2670567+djsmith85@users.noreply.github.com> Co-authored-by: aj-rosado <109146700+aj-rosado@users.noreply.github.com>
- Loading branch information
3 people
authored
Sep 4, 2024
1 parent
fdf6d8f
commit af3797c
Showing
12 changed files
with
503 additions
and
95 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,77 @@ | ||
| using Bit.Api.Tools.Models.Response; | ||
| using Bit.Core.AdminConsole.Repositories; | ||
| using Bit.Core.Auth.UserFeatures.TwoFactorAuth.Interfaces; | ||
| using Bit.Core.Context; | ||
| using Bit.Core.Exceptions; | ||
| using Bit.Core.Repositories; | ||
| using Bit.Core.Services; | ||
| using Bit.Core.Vault.Queries; | ||
| using Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Interfaces; | ||
| using Core.AdminConsole.OrganizationFeatures.OrganizationUsers.Requests; | ||
| using Microsoft.AspNetCore.Authorization; | ||
| using Microsoft.AspNetCore.Mvc; | ||
|
|
||
| namespace Bit.Api.Tools.Controllers; | ||
|
|
||
| [Route("reports")] | ||
| [Authorize("Application")] | ||
| public class ReportsController : Controller | ||
| { | ||
| private readonly IOrganizationUserUserDetailsQuery _organizationUserUserDetailsQuery; | ||
| private readonly IGroupRepository _groupRepository; | ||
| private readonly ICollectionRepository _collectionRepository; | ||
| private readonly ICurrentContext _currentContext; | ||
| private readonly IOrganizationCiphersQuery _organizationCiphersQuery; | ||
| private readonly IApplicationCacheService _applicationCacheService; | ||
| private readonly ITwoFactorIsEnabledQuery _twoFactorIsEnabledQuery; | ||
|
|
||
| public ReportsController( | ||
| IOrganizationUserUserDetailsQuery organizationUserUserDetailsQuery, | ||
| IGroupRepository groupRepository, | ||
| ICollectionRepository collectionRepository, | ||
| ICurrentContext currentContext, | ||
| IOrganizationCiphersQuery organizationCiphersQuery, | ||
| IApplicationCacheService applicationCacheService, | ||
| ITwoFactorIsEnabledQuery twoFactorIsEnabledQuery | ||
| ) | ||
| { | ||
| _organizationUserUserDetailsQuery = organizationUserUserDetailsQuery; | ||
| _groupRepository = groupRepository; | ||
| _collectionRepository = collectionRepository; | ||
| _currentContext = currentContext; | ||
| _organizationCiphersQuery = organizationCiphersQuery; | ||
| _applicationCacheService = applicationCacheService; | ||
| _twoFactorIsEnabledQuery = twoFactorIsEnabledQuery; | ||
| } | ||
|
|
||
| [HttpGet("member-access/{orgId}")] | ||
| public async Task<IEnumerable<MemberAccessReportResponseModel>> GetMemberAccessReport(Guid orgId) | ||
| { | ||
| if (!await _currentContext.AccessReports(orgId)) | ||
| { | ||
| throw new NotFoundException(); | ||
| } | ||
|
|
||
| var orgUsers = await _organizationUserUserDetailsQuery.GetOrganizationUserUserDetails( | ||
| new OrganizationUserUserDetailsQueryRequest | ||
| { | ||
| OrganizationId = orgId, | ||
| IncludeCollections = true, | ||
| IncludeGroups = true | ||
| }); | ||
|
|
||
| var orgGroups = await _groupRepository.GetManyByOrganizationIdAsync(orgId); | ||
| var orgAbility = await _applicationCacheService.GetOrganizationAbilityAsync(orgId); | ||
| var orgCollectionsWithAccess = await _collectionRepository.GetManyByOrganizationIdWithAccessAsync(orgId); | ||
| var orgItems = await _organizationCiphersQuery.GetAllOrganizationCiphers(orgId); | ||
| var organizationUsersTwoFactorEnabled = await _twoFactorIsEnabledQuery.TwoFactorIsEnabledAsync(orgUsers); | ||
|
|
||
| var reports = MemberAccessReportResponseModel.CreateReport( | ||
| orgGroups, | ||
| orgCollectionsWithAccess, | ||
| orgItems, | ||
| organizationUsersTwoFactorEnabled, | ||
| orgAbility); | ||
| return reports; | ||
| } | ||
| } |
172 changes: 172 additions & 0 deletions
172
src/Api/Tools/Models/Response/MemberAccessReportModel.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,172 @@ | ||
| using Bit.Core.AdminConsole.Entities; | ||
| using Bit.Core.Entities; | ||
| using Bit.Core.Models.Data; | ||
| using Bit.Core.Models.Data.Organizations; | ||
| using Bit.Core.Models.Data.Organizations.OrganizationUsers; | ||
| using Bit.Core.Vault.Models.Data; | ||
|
|
||
| namespace Bit.Api.Tools.Models.Response; | ||
|
|
||
| /// <summary> | ||
| /// Member access details. The individual item for the detailed member access | ||
| /// report. A collection can be assigned directly to a user without a group or | ||
| /// the user can be assigned to a collection through a group. Group level permissions | ||
| /// can override collection level permissions. | ||
| /// </summary> | ||
| public class MemberAccessReportAccessDetails | ||
| { | ||
| public Guid? CollectionId { get; set; } | ||
| public Guid? GroupId { get; set; } | ||
| public string GroupName { get; set; } | ||
| public string CollectionName { get; set; } | ||
| public int ItemCount { get; set; } | ||
| public bool? ReadOnly { get; set; } | ||
| public bool? HidePasswords { get; set; } | ||
| public bool? Manage { get; set; } | ||
| } | ||
|
|
||
| /// <summary> | ||
| /// Contains the collections and group collections a user has access to including | ||
| /// the permission level for the collection and group collection. | ||
| /// </summary> | ||
| public class MemberAccessReportResponseModel | ||
| { | ||
| public string UserName { get; set; } | ||
| public string Email { get; set; } | ||
| public bool TwoFactorEnabled { get; set; } | ||
| public bool AccountRecoveryEnabled { get; set; } | ||
| public int GroupsCount { get; set; } | ||
| public int CollectionsCount { get; set; } | ||
| public int TotalItemCount { get; set; } | ||
| public Guid? UserGuid { get; set; } | ||
| public bool UsesKeyConnector { get; set; } | ||
| public IEnumerable<MemberAccessReportAccessDetails> AccessDetails { get; set; } | ||
|
|
||
| /// <summary> | ||
| /// Generates a report for all members of an organization. Containing summary information | ||
| /// such as item, collection, and group counts. As well as detailed information on the | ||
| /// user and group collections along with their permissions | ||
| /// </summary> | ||
| /// <param name="orgGroups">Organization groups collection</param> | ||
| /// <param name="orgCollectionsWithAccess">Collections for the organization and the groups/users and permissions</param> | ||
| /// <param name="orgItems">Cipher items for the organization with the collections associated with them</param> | ||
| /// <param name="organizationUsersTwoFactorEnabled">Organization users and two factor status</param> | ||
| /// <param name="orgAbility">Organization ability for account recovery status</param> | ||
| /// <returns>List of the MemberAccessReportResponseModel</returns>; | ||
| public static IEnumerable<MemberAccessReportResponseModel> CreateReport( | ||
| ICollection<Group> orgGroups, | ||
| ICollection<Tuple<Collection, CollectionAccessDetails>> orgCollectionsWithAccess, | ||
| IEnumerable<CipherOrganizationDetailsWithCollections> orgItems, | ||
| IEnumerable<(OrganizationUserUserDetails user, bool twoFactorIsEnabled)> organizationUsersTwoFactorEnabled, | ||
| OrganizationAbility orgAbility) | ||
| { | ||
| var orgUsers = organizationUsersTwoFactorEnabled.Select(x => x.user); | ||
| // Create a dictionary to lookup the group names later. | ||
| var groupNameDictionary = orgGroups.ToDictionary(x => x.Id, x => x.Name); | ||
|
|
||
| // Get collections grouped and into a dictionary for counts | ||
| var collectionItems = orgItems | ||
| .SelectMany(x => x.CollectionIds, | ||
| (x, b) => new { CipherId = x.Id, CollectionId = b }) | ||
| .GroupBy(y => y.CollectionId, | ||
| (key, g) => new { CollectionId = key, Ciphers = g }); | ||
| var collectionItemCounts = collectionItems.ToDictionary(x => x.CollectionId, x => x.Ciphers.Count()); | ||
|
|
||
| // Take the collections/groups and create the access details items | ||
| var groupAccessDetails = new List<MemberAccessReportAccessDetails>(); | ||
| var userCollectionAccessDetails = new List<MemberAccessReportAccessDetails>(); | ||
| foreach (var tCollect in orgCollectionsWithAccess) | ||
| { | ||
| var itemCounts = collectionItemCounts.TryGetValue(tCollect.Item1.Id, out var itemCount) ? itemCount : 0; | ||
| if (tCollect.Item2.Groups.Count() > 0) | ||
| { | ||
| var groupDetails = tCollect.Item2.Groups.Select(x => | ||
| new MemberAccessReportAccessDetails | ||
| { | ||
| CollectionId = tCollect.Item1.Id, | ||
| CollectionName = tCollect.Item1.Name, | ||
| GroupId = x.Id, | ||
| GroupName = groupNameDictionary[x.Id], | ||
| ReadOnly = x.ReadOnly, | ||
| HidePasswords = x.HidePasswords, | ||
| Manage = x.Manage, | ||
| ItemCount = itemCounts, | ||
| }); | ||
| groupAccessDetails.AddRange(groupDetails); | ||
| } | ||
|
|
||
| // All collections assigned to users and their permissions | ||
| if (tCollect.Item2.Users.Count() > 0) | ||
| { | ||
| var userCollectionDetails = tCollect.Item2.Users.Select(x => | ||
| new MemberAccessReportAccessDetails | ||
| { | ||
| CollectionId = tCollect.Item1.Id, | ||
| CollectionName = tCollect.Item1.Name, | ||
| ReadOnly = x.ReadOnly, | ||
| HidePasswords = x.HidePasswords, | ||
| Manage = x.Manage, | ||
| ItemCount = itemCounts, | ||
| }); | ||
| userCollectionAccessDetails.AddRange(userCollectionDetails); | ||
| } | ||
| } | ||
|
|
||
| // Loop through the org users and populate report and access data | ||
| var memberAccessReport = new List<MemberAccessReportResponseModel>(); | ||
| foreach (var user in orgUsers) | ||
| { | ||
| var report = new MemberAccessReportResponseModel | ||
| { | ||
| UserName = user.Name, | ||
| Email = user.Email, | ||
| TwoFactorEnabled = organizationUsersTwoFactorEnabled.FirstOrDefault(u => u.user.Id == user.Id).twoFactorIsEnabled, | ||
| // Both the user's ResetPasswordKey must be set and the organization can UseResetPassword | ||
| AccountRecoveryEnabled = !string.IsNullOrEmpty(user.ResetPasswordKey) && orgAbility.UseResetPassword, | ||
| UserGuid = user.Id, | ||
| UsesKeyConnector = user.UsesKeyConnector | ||
| }; | ||
|
|
||
| var userAccessDetails = new List<MemberAccessReportAccessDetails>(); | ||
| if (user.Groups.Any()) | ||
| { | ||
| var userGroups = groupAccessDetails.Where(x => user.Groups.Contains(x.GroupId.GetValueOrDefault())); | ||
| userAccessDetails.AddRange(userGroups); | ||
| } | ||
|
|
||
| // There can be edge cases where groups don't have a collection | ||
| var groupsWithoutCollections = user.Groups.Where(x => !userAccessDetails.Any(y => x == y.GroupId)); | ||
| if (groupsWithoutCollections.Count() > 0) | ||
| { | ||
| var emptyGroups = groupsWithoutCollections.Select(x => new MemberAccessReportAccessDetails | ||
| { | ||
| GroupId = x, | ||
| GroupName = groupNameDictionary[x], | ||
| ItemCount = 0 | ||
| }); | ||
| userAccessDetails.AddRange(emptyGroups); | ||
| } | ||
|
|
||
| if (user.Collections.Any()) | ||
| { | ||
| var userCollections = userCollectionAccessDetails.Where(x => user.Collections.Any(y => x.CollectionId == y.Id)); | ||
| userAccessDetails.AddRange(userCollections); | ||
| } | ||
| report.AccessDetails = userAccessDetails; | ||
|
|
||
| report.TotalItemCount = collectionItems | ||
| .Where(x => report.AccessDetails.Any(y => x.CollectionId == y.CollectionId)) | ||
| .SelectMany(x => x.Ciphers) | ||
| .GroupBy(g => g.CipherId).Select(grp => grp.FirstOrDefault()) | ||
| .Count(); | ||
|
|
||
| // Distinct items only | ||
| var distinctItems = report.AccessDetails.Where(x => x.CollectionId.HasValue).Select(x => x.CollectionId).Distinct(); | ||
| report.CollectionsCount = distinctItems.Count(); | ||
| report.GroupsCount = report.AccessDetails.Select(x => x.GroupId).Where(y => y.HasValue).Distinct().Count(); | ||
| memberAccessReport.Add(report); | ||
| } | ||
| return memberAccessReport; | ||
| } | ||
|
|
||
| } |
Oops, something went wrong.