Upstream/bitwarden-server
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2024-11-21 12:05:42 +01:00
Code Issues Projects Releases Wiki Activity

[SM-713] Add database support for secret access policies (#3681)

Browse Source 
* mssql add column and migration

* Add secret access policies to EF models and config

* Clear new access policies on service account delete

* Add SM cleanup code on delete

* Fix EF org user bulk delete

* Run EF migrations
This commit is contained in:
Thomas Avery 2024-02-22 10:06:39 -06:00 committed by GitHub
parent 374b59bcfb
commit 1499d1e2c6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
20 changed files with 8315 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
bitwarden_license/src/Commercial.Infrastructure.EntityFramework/SecretsManager/Repositories/ServiceAccountRepository.cs
View File

@ -84,22 +84,29 @@ public class ServiceAccountRepository : Repository<Core.SecretsManager.Entities.
public async Task DeleteManyByIdAsync(IEnumerable<Guid> ids)
{
var targetIds = ids.ToList();
using var scope = ServiceScopeFactory.CreateScope();
var dbContext = GetDatabaseContext(scope);
await using var transaction = await dbContext.Database.BeginTransactionAsync();
// Policies can't have a cascade delete, so we need to delete them manually.
var policies = dbContext.AccessPolicies.Where(ap =>
((ServiceAccountProjectAccessPolicy)ap).ServiceAccountId.HasValue && ids.Contains(((ServiceAccountProjectAccessPolicy)ap).ServiceAccountId!.Value) ||
((GroupServiceAccountAccessPolicy)ap).GrantedServiceAccountId.HasValue && ids.Contains(((GroupServiceAccountAccessPolicy)ap).GrantedServiceAccountId!.Value) ||
((UserServiceAccountAccessPolicy)ap).GrantedServiceAccountId.HasValue && ids.Contains(((UserServiceAccountAccessPolicy)ap).GrantedServiceAccountId!.Value));
dbContext.RemoveRange(policies);
await dbContext.AccessPolicies.Where(ap =>
targetIds.Contains(((ServiceAccountProjectAccessPolicy)ap).ServiceAccountId!.Value) ||
targetIds.Contains(((ServiceAccountSecretAccessPolicy)ap).ServiceAccountId!.Value) ||
targetIds.Contains(((GroupServiceAccountAccessPolicy)ap).GrantedServiceAccountId!.Value) ||
targetIds.Contains(((UserServiceAccountAccessPolicy)ap).GrantedServiceAccountId!.Value))
.ExecuteDeleteAsync();
var apiKeys = dbContext.ApiKeys.Where(a => a.ServiceAccountId.HasValue && ids.Contains(a.ServiceAccountId!.Value));
dbContext.RemoveRange(apiKeys);
await dbContext.ApiKeys
.Where(a => targetIds.Contains(a.ServiceAccountId!.Value))
.ExecuteDeleteAsync();
var serviceAccounts = dbContext.ServiceAccount.Where(c => ids.Contains(c.Id));
dbContext.RemoveRange(serviceAccounts);
await dbContext.SaveChangesAsync();
await dbContext.ServiceAccount
.Where(c => targetIds.Contains(c.Id))
.ExecuteDeleteAsync();
await transaction.CommitAsync();
}
public async Task<(bool Read, bool Write)> AccessToServiceAccountAsync(Guid id, Guid userId,

25
src/Core/SecretsManager/Entities/AccessPolicy.cs
View File

@ -38,6 +38,14 @@ public class UserServiceAccountAccessPolicy : BaseAccessPolicy
public ServiceAccount? GrantedServiceAccount { get; set; }
}
public class UserSecretAccessPolicy : BaseAccessPolicy
{
public Guid? OrganizationUserId { get; set; }
public User? User { get; set; }
public Guid? GrantedSecretId { get; set; }
public Secret? GrantedSecret { get; set; }
}
public class GroupProjectAccessPolicy : BaseAccessPolicy
{
public Guid? GroupId { get; set; }
@ -56,6 +64,15 @@ public class GroupServiceAccountAccessPolicy : BaseAccessPolicy
public ServiceAccount? GrantedServiceAccount { get; set; }
}
public class GroupSecretAccessPolicy : BaseAccessPolicy
{
public Guid? GroupId { get; set; }
public Group? Group { get; set; }
public bool? CurrentUserInGroup { get; set; }
public Guid? GrantedSecretId { get; set; }
public Secret? GrantedSecret { get; set; }
}
public class ServiceAccountProjectAccessPolicy : BaseAccessPolicy
{
public Guid? ServiceAccountId { get; set; }
@ -63,3 +80,11 @@ public class ServiceAccountProjectAccessPolicy : BaseAccessPolicy
public Guid? GrantedProjectId { get; set; }
public Project? GrantedProject { get; set; }
}
public class ServiceAccountSecretAccessPolicy : BaseAccessPolicy
{
public Guid? ServiceAccountId { get; set; }
public ServiceAccount? ServiceAccount { get; set; }
public Guid? GrantedSecretId { get; set; }
public Secret? GrantedSecret { get; set; }
}

2
src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationRepository.cs
View File

@ -180,6 +180,8 @@ public class OrganizationRepository : Repository<Core.AdminConsole.Entities.Orga
.ExecuteDeleteAsync();
await dbContext.UserServiceAccountAccessPolicy.Where(ap => ap.OrganizationUser.OrganizationId == organization.Id)
.ExecuteDeleteAsync();
await dbContext.UserSecretAccessPolicy.Where(ap => ap.OrganizationUser.OrganizationId == organization.Id)
.ExecuteDeleteAsync();
await dbContext.OrganizationUsers.Where(ou => ou.OrganizationId == organization.Id)
.ExecuteDeleteAsync();
await dbContext.ProviderOrganizations.Where(po => po.OrganizationId == organization.Id)

42
src/Infrastructure.EntityFramework/AdminConsole/Repositories/OrganizationUserRepository.cs
View File

@ -100,6 +100,8 @@ public class OrganizationUserRepository : Repository<Core.Entities.OrganizationU
dbContext.UserProjectAccessPolicy.Where(ap => ap.OrganizationUserId == organizationUserId));
dbContext.UserServiceAccountAccessPolicy.RemoveRange(
dbContext.UserServiceAccountAccessPolicy.Where(ap => ap.OrganizationUserId == organizationUserId));
dbContext.UserSecretAccessPolicy.RemoveRange(
dbContext.UserSecretAccessPolicy.Where(ap => ap.OrganizationUserId == organizationUserId));
var orgSponsorships = await dbContext.OrganizationSponsorships
.Where(os => os.SponsoringOrganizationUserId == organizationUserId)
@ -117,18 +119,36 @@ public class OrganizationUserRepository : Repository<Core.Entities.OrganizationU
public async Task DeleteManyAsync(IEnumerable<Guid> organizationUserIds)
{
using (var scope = ServiceScopeFactory.CreateScope())
{
var dbContext = GetDatabaseContext(scope);
await dbContext.UserBumpAccountRevisionDateByOrganizationUserIdsAsync(organizationUserIds);
var entities = await dbContext.OrganizationUsers
// TODO: Does this work?
.Where(ou => organizationUserIds.Contains(ou.Id))
.ToListAsync();
var targetOrganizationUserIds = organizationUserIds.ToList();
using var scope = ServiceScopeFactory.CreateScope();
var dbContext = GetDatabaseContext(scope);
dbContext.OrganizationUsers.RemoveRange(entities);
await dbContext.SaveChangesAsync();
}
var transaction = await dbContext.Database.BeginTransactionAsync();
await dbContext.UserBumpAccountRevisionDateByOrganizationUserIdsAsync(targetOrganizationUserIds);
await dbContext.CollectionUsers
.Where(cu => targetOrganizationUserIds.Contains(cu.OrganizationUserId))
.ExecuteDeleteAsync();
await dbContext.GroupUsers
.Where(gu => targetOrganizationUserIds.Contains(gu.OrganizationUserId))
.ExecuteDeleteAsync();
await dbContext.UserProjectAccessPolicy
.Where(ap => targetOrganizationUserIds.Contains(ap.OrganizationUserId!.Value))
.ExecuteDeleteAsync();
await dbContext.UserServiceAccountAccessPolicy
.Where(ap => targetOrganizationUserIds.Contains(ap.OrganizationUserId!.Value))
.ExecuteDeleteAsync();
await dbContext.UserSecretAccessPolicy
.Where(ap => targetOrganizationUserIds.Contains(ap.OrganizationUserId!.Value))
.ExecuteDeleteAsync();
await dbContext.OrganizationUsers
.Where(ou => targetOrganizationUserIds.Contains(ou.Id)).ExecuteDeleteAsync();
await dbContext.SaveChangesAsync();
await transaction.CommitAsync();
}
public async Task<Tuple<Core.Entities.OrganizationUser, ICollection<CollectionAccessSelection>>> GetByIdWithCollectionsAsync(Guid id)

3
src/Infrastructure.EntityFramework/Repositories/DatabaseContext.cs
View File

@ -27,6 +27,9 @@ public class DatabaseContext : DbContext
public DbSet<ServiceAccountProjectAccessPolicy> ServiceAccountProjectAccessPolicy { get; set; }
public DbSet<UserServiceAccountAccessPolicy> UserServiceAccountAccessPolicy { get; set; }
public DbSet<GroupServiceAccountAccessPolicy> GroupServiceAccountAccessPolicy { get; set; }
public DbSet<UserSecretAccessPolicy> UserSecretAccessPolicy { get; set; }
public DbSet<GroupSecretAccessPolicy> GroupSecretAccessPolicy { get; set; }
public DbSet<ServiceAccountSecretAccessPolicy> ServiceAccountSecretAccessPolicy { get; set; }
public DbSet<ApiKey> ApiKeys { get; set; }
public DbSet<Cipher> Ciphers { get; set; }
public DbSet<Collection> Collections { get; set; }

71
src/Infrastructure.EntityFramework/SecretsManager/Configurations/AccessPolicyEntityTypeConfiguration.cs
View File

@ -13,9 +13,12 @@ public class AccessPolicyEntityTypeConfiguration : IEntityTypeConfiguration<Acce
.HasDiscriminator<string>("Discriminator")
.HasValue<UserProjectAccessPolicy>(AccessPolicyDiscriminator.UserProject)
.HasValue<UserServiceAccountAccessPolicy>(AccessPolicyDiscriminator.UserServiceAccount)
.HasValue<UserSecretAccessPolicy>(AccessPolicyDiscriminator.UserSecret)
.HasValue<GroupProjectAccessPolicy>(AccessPolicyDiscriminator.GroupProject)
.HasValue<GroupServiceAccountAccessPolicy>(AccessPolicyDiscriminator.GroupServiceAccount)
.HasValue<ServiceAccountProjectAccessPolicy>(AccessPolicyDiscriminator.ServiceAccountProject);
.HasValue<GroupSecretAccessPolicy>(AccessPolicyDiscriminator.GroupSecret)
.HasValue<ServiceAccountProjectAccessPolicy>(AccessPolicyDiscriminator.ServiceAccountProject)
.HasValue<ServiceAccountSecretAccessPolicy>(AccessPolicyDiscriminator.ServiceAccountSecret);
builder
.Property(s => s.Id)
@ -63,6 +66,26 @@ public class UserServiceAccountAccessPolicyEntityTypeConfiguration : IEntityType
}
}
public class UserSecretAccessPolicyEntityTypeConfiguration : IEntityTypeConfiguration<UserSecretAccessPolicy>
{
public void Configure(EntityTypeBuilder<UserSecretAccessPolicy> builder)
{
builder
.Property(e => e.OrganizationUserId)
.HasColumnName(nameof(UserSecretAccessPolicy.OrganizationUserId));
builder
.Property(e => e.GrantedSecretId)
.HasColumnName(nameof(UserSecretAccessPolicy.GrantedSecretId));
builder
.HasOne(e => e.GrantedSecret)
.WithMany(e => e.UserAccessPolicies)
.HasForeignKey(nameof(UserSecretAccessPolicy.GrantedSecretId))
.OnDelete(DeleteBehavior.Cascade);
}
}
public class GroupProjectAccessPolicyEntityTypeConfiguration : IEntityTypeConfiguration<GroupProjectAccessPolicy>
{
public void Configure(EntityTypeBuilder<GroupProjectAccessPolicy> builder)
@ -109,6 +132,32 @@ public class GroupServiceAccountAccessPolicyEntityTypeConfiguration : IEntityTyp
}
}
public class GroupSecretAccessPolicyEntityTypeConfiguration : IEntityTypeConfiguration<GroupSecretAccessPolicy>
{
public void Configure(EntityTypeBuilder<GroupSecretAccessPolicy> builder)
{
builder
.Property(e => e.GroupId)
.HasColumnName(nameof(GroupSecretAccessPolicy.GroupId));
builder
.Property(e => e.GrantedSecretId)
.HasColumnName(nameof(GroupSecretAccessPolicy.GrantedSecretId));
builder
.HasOne(e => e.GrantedSecret)
.WithMany(e => e.GroupAccessPolicies)
.HasForeignKey(nameof(GroupSecretAccessPolicy.GrantedSecretId))
.OnDelete(DeleteBehavior.Cascade);
builder
.HasOne(e => e.Group)
.WithMany()
.HasForeignKey(nameof(GroupSecretAccessPolicy.GroupId))
.OnDelete(DeleteBehavior.Cascade);
}
}
public class ServiceAccountProjectAccessPolicyEntityTypeConfiguration : IEntityTypeConfiguration<ServiceAccountProjectAccessPolicy>
{
public void Configure(EntityTypeBuilder<ServiceAccountProjectAccessPolicy> builder)
@ -128,3 +177,23 @@ public class ServiceAccountProjectAccessPolicyEntityTypeConfiguration : IEntityT
.OnDelete(DeleteBehavior.Cascade);
}
}
public class ServiceAccountSecretAccessPolicyEntityTypeConfiguration : IEntityTypeConfiguration<ServiceAccountSecretAccessPolicy>
{
public void Configure(EntityTypeBuilder<ServiceAccountSecretAccessPolicy> builder)
{
builder
.Property(e => e.ServiceAccountId)
.HasColumnName(nameof(ServiceAccountSecretAccessPolicy.ServiceAccountId));
builder
.Property(e => e.GrantedSecretId)
.HasColumnName(nameof(ServiceAccountSecretAccessPolicy.GrantedSecretId));
builder
.HasOne(e => e.GrantedSecret)
.WithMany(e => e.ServiceAccountAccessPolicies)
.HasForeignKey(nameof(ServiceAccountSecretAccessPolicy.GrantedSecretId))
.OnDelete(DeleteBehavior.Cascade);
}
}

4
src/Infrastructure.EntityFramework/SecretsManager/Discriminators/AccessPolicyDiscriminator.cs
View File

@ -4,8 +4,10 @@ public static class AccessPolicyDiscriminator
{
public const string UserProject = "user_project";
public const string UserServiceAccount = "user_service_account";
public const string UserSecret = "user_secret";
public const string GroupProject = "group_project";
public const string GroupServiceAccount = "group_service_account";
public const string GroupSecret = "group_secret";
public const string ServiceAccountProject = "service_account_project";
public const string ServiceAccountSecret = "service_account_secret";
}

41
src/Infrastructure.EntityFramework/SecretsManager/Models/AccessPolicy.cs
View File

@ -24,6 +24,12 @@ public class AccessPolicyMapperProfile : Profile
.ReverseMap()
.ForMember(dst => dst.User, opt => opt.MapFrom(src => src.OrganizationUser.User));
CreateMap<Core.SecretsManager.Entities.UserSecretAccessPolicy, UserSecretAccessPolicy>()
.ForMember(dst => dst.GrantedSecret, opt => opt.Ignore())
.ForMember(dst => dst.OrganizationUser, opt => opt.Ignore())
.ReverseMap()
.ForMember(dst => dst.User, opt => opt.MapFrom(src => src.OrganizationUser.User));
CreateMap<Core.SecretsManager.Entities.GroupProjectAccessPolicy, GroupProjectAccessPolicy>()
.ForMember(dst => dst.GrantedProject, opt => opt.Ignore())
.ForMember(dst => dst.Group, opt => opt.Ignore())
@ -34,10 +40,20 @@ public class AccessPolicyMapperProfile : Profile
.ForMember(dst => dst.Group, opt => opt.Ignore())
.ReverseMap();
CreateMap<Core.SecretsManager.Entities.GroupSecretAccessPolicy, GroupSecretAccessPolicy>()
.ForMember(dst => dst.GrantedSecret, opt => opt.Ignore())
.ForMember(dst => dst.Group, opt => opt.Ignore())
.ReverseMap();
CreateMap<Core.SecretsManager.Entities.ServiceAccountProjectAccessPolicy, ServiceAccountProjectAccessPolicy>()
.ForMember(dst => dst.GrantedProject, opt => opt.Ignore())
.ForMember(dst => dst.ServiceAccount, opt => opt.Ignore())
.ReverseMap();
CreateMap<Core.SecretsManager.Entities.ServiceAccountSecretAccessPolicy, ServiceAccountSecretAccessPolicy>()
.ForMember(dst => dst.GrantedSecret, opt => opt.Ignore())
.ForMember(dst => dst.ServiceAccount, opt => opt.Ignore())
.ReverseMap();
}
}
@ -61,6 +77,14 @@ public class UserServiceAccountAccessPolicy : AccessPolicy
public virtual ServiceAccount GrantedServiceAccount { get; set; }
}
public class UserSecretAccessPolicy : AccessPolicy
{
public Guid? OrganizationUserId { get; set; }
public virtual OrganizationUser OrganizationUser { get; set; }
public Guid? GrantedSecretId { get; set; }
public virtual Secret GrantedSecret { get; set; }
}
public class GroupProjectAccessPolicy : AccessPolicy
{
public Guid? GroupId { get; set; }
@ -77,6 +101,14 @@ public class GroupServiceAccountAccessPolicy : AccessPolicy
public virtual ServiceAccount GrantedServiceAccount { get; set; }
}
public class GroupSecretAccessPolicy : AccessPolicy
{
public Guid? GroupId { get; set; }
public virtual Group Group { get; set; }
public Guid? GrantedSecretId { get; set; }
public virtual Secret GrantedSecret { get; set; }
}
public class ServiceAccountProjectAccessPolicy : AccessPolicy
{
public Guid? ServiceAccountId { get; set; }
@ -84,3 +116,12 @@ public class ServiceAccountProjectAccessPolicy : AccessPolicy
public Guid? GrantedProjectId { get; set; }
public virtual Project GrantedProject { get; set; }
}
public class ServiceAccountSecretAccessPolicy : AccessPolicy
{
public Guid? ServiceAccountId { get; set; }
public virtual ServiceAccount ServiceAccount { get; set; }
public Guid? GrantedSecretId { get; set; }
public virtual Secret GrantedSecret { get; set; }
}

5
src/Infrastructure.EntityFramework/SecretsManager/Models/Secret.cs
View File

@ -5,8 +5,11 @@ namespace Bit.Infrastructure.EntityFramework.SecretsManager.Models;
public class Secret : Core.SecretsManager.Entities.Secret
{
public virtual new ICollection<Project> Projects { get; set; }
public new virtual ICollection<Project> Projects { get; set; }
public virtual Organization Organization { get; set; }
public virtual ICollection<UserSecretAccessPolicy> UserAccessPolicies { get; set; }
public virtual ICollection<GroupSecretAccessPolicy> GroupAccessPolicies { get; set; }
public virtual ICollection<ServiceAccountSecretAccessPolicy> ServiceAccountAccessPolicies { get; set; }
}
public class SecretMapperProfile : Profile

50
src/Sql/SecretsManager/dbo/Tables/AccessPolicy.sql
View File

@ -1,34 +1,40 @@
CREATE TABLE [AccessPolicy] (
[Id] UNIQUEIDENTIFIER NOT NULL,
[Discriminator] NVARCHAR(50) NOT NULL,
[OrganizationUserId] UNIQUEIDENTIFIER NULL,
[GroupId] UNIQUEIDENTIFIER NULL,
[ServiceAccountId] UNIQUEIDENTIFIER NULL,
[GrantedProjectId] UNIQUEIDENTIFIER NULL,
CREATE TABLE [dbo].[AccessPolicy]
(
[Id] UNIQUEIDENTIFIER NOT NULL,
[Discriminator] NVARCHAR (50) NOT NULL,
[OrganizationUserId] UNIQUEIDENTIFIER NULL,
[GroupId] UNIQUEIDENTIFIER NULL,
[ServiceAccountId] UNIQUEIDENTIFIER NULL,
[GrantedProjectId] UNIQUEIDENTIFIER NULL,
[GrantedServiceAccountId] UNIQUEIDENTIFIER NULL,
[Read] BIT NOT NULL,
[Write] BIT NOT NULL,
[CreationDate] DATETIME2 NOT NULL,
[RevisionDate] DATETIME2 NOT NULL,
CONSTRAINT [PK_AccessPolicy] PRIMARY KEY CLUSTERED ([Id]),
CONSTRAINT [FK_AccessPolicy_Group_GroupId] FOREIGN KEY ([GroupId]) REFERENCES [Group] ([Id]) ON DELETE CASCADE,
CONSTRAINT [FK_AccessPolicy_OrganizationUser_OrganizationUserId] FOREIGN KEY ([OrganizationUserId]) REFERENCES [OrganizationUser] ([Id]),
CONSTRAINT [FK_AccessPolicy_Project_GrantedProjectId] FOREIGN KEY ([GrantedProjectId]) REFERENCES [Project] ([Id]) ON DELETE CASCADE,
CONSTRAINT [FK_AccessPolicy_ServiceAccount_GrantedServiceAccountId] FOREIGN KEY ([GrantedServiceAccountId]) REFERENCES [ServiceAccount] ([Id]),
CONSTRAINT [FK_AccessPolicy_ServiceAccount_ServiceAccountId] FOREIGN KEY ([ServiceAccountId]) REFERENCES [ServiceAccount] ([Id])
[Read] BIT NOT NULL,
[Write] BIT NOT NULL,
[CreationDate] DATETIME2 NOT NULL,
[RevisionDate] DATETIME2 NOT NULL,
[GrantedSecretId] UNIQUEIDENTIFIER NULL,
CONSTRAINT [PK_AccessPolicy] PRIMARY KEY CLUSTERED ([Id] ASC),
CONSTRAINT [FK_AccessPolicy_Group_GroupId] FOREIGN KEY ([GroupId]) REFERENCES [dbo].[Group] ([Id]) ON DELETE CASCADE,
CONSTRAINT [FK_AccessPolicy_OrganizationUser_OrganizationUserId] FOREIGN KEY ([OrganizationUserId]) REFERENCES [dbo].[OrganizationUser] ([Id]),
CONSTRAINT [FK_AccessPolicy_Project_GrantedProjectId] FOREIGN KEY ([GrantedProjectId]) REFERENCES [dbo].[Project] ([Id]) ON DELETE CASCADE,
CONSTRAINT [FK_AccessPolicy_ServiceAccount_GrantedServiceAccountId] FOREIGN KEY ([GrantedServiceAccountId]) REFERENCES [dbo].[ServiceAccount] ([Id]),
CONSTRAINT [FK_AccessPolicy_ServiceAccount_ServiceAccountId] FOREIGN KEY ([ServiceAccountId]) REFERENCES [dbo].[ServiceAccount] ([Id]),
CONSTRAINT [FK_AccessPolicy_Secret_GrantedSecretId] FOREIGN KEY ([GrantedSecretId]) REFERENCES [dbo].[Secret] ([Id]) ON DELETE CASCADE
);
GO
CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GroupId] ON [AccessPolicy] ([GroupId]);
CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GroupId] ON [dbo].[AccessPolicy]([GroupId] ASC);
GO
CREATE NONCLUSTERED INDEX [IX_AccessPolicy_OrganizationUserId] ON [AccessPolicy] ([OrganizationUserId]);
CREATE NONCLUSTERED INDEX [IX_AccessPolicy_OrganizationUserId] ON [dbo].[AccessPolicy]([OrganizationUserId] ASC);
GO
CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GrantedProjectId] ON [AccessPolicy] ([GrantedProjectId]);
CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GrantedProjectId] ON [dbo].[AccessPolicy]([GrantedProjectId] ASC);
GO
CREATE NONCLUSTERED INDEX [IX_AccessPolicy_ServiceAccountId] ON [AccessPolicy] ([ServiceAccountId]);
CREATE NONCLUSTERED INDEX [IX_AccessPolicy_ServiceAccountId] ON [dbo].[AccessPolicy]([ServiceAccountId] ASC);
GO
CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GrantedServiceAccountId] ON [AccessPolicy] ([GrantedServiceAccountId]);
CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GrantedServiceAccountId] ON [dbo].[AccessPolicy]([GrantedServiceAccountId] ASC);
GO
CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GrantedSecretId] ON [dbo].[AccessPolicy]([GrantedSecretId] ASC);

14
util/Migrator/DbScripts/2024-02-16_00_AddSecretAccessPolicies.sql Normal file
View File

@ -0,0 +1,14 @@
IF COL_LENGTH('[dbo].[AccessPolicy]', 'GrantedSecretId') IS NULL
BEGIN
ALTER TABLE [dbo].[AccessPolicy] ADD [GrantedSecretId] [uniqueidentifier] NULL
CONSTRAINT [FK_AccessPolicy_Secret_GrantedSecretId] FOREIGN KEY ([GrantedSecretId]) REFERENCES [Secret] ([Id]) ON DELETE CASCADE
END
GO
IF NOT EXISTS(SELECT name
FROM sys.indexes
WHERE name = 'IX_AccessPolicy_GrantedSecretId')
BEGIN
CREATE NONCLUSTERED INDEX [IX_AccessPolicy_GrantedSecretId] ON [dbo].[AccessPolicy] ([GrantedSecretId] ASC);
END
GO

2518
util/MySqlMigrations/Migrations/20240216170327_AddSecretAccessPolicies.Designer.cs generated Normal file
View File

File diff suppressed because it is too large Load Diff

49
util/MySqlMigrations/Migrations/20240216170327_AddSecretAccessPolicies.cs Normal file
View File

@ -0,0 +1,49 @@
using Microsoft.EntityFrameworkCore.Migrations;
#nullable disable
namespace Bit.MySqlMigrations.Migrations;
/// <inheritdoc />
public partial class AddSecretAccessPolicies : Migration
{
/// <inheritdoc />
protected override void Up(MigrationBuilder migrationBuilder)
{
migrationBuilder.AddColumn<Guid>(
name: "GrantedSecretId",
table: "AccessPolicy",
type: "char(36)",
nullable: true,
collation: "ascii_general_ci");
migrationBuilder.CreateIndex(
name: "IX_AccessPolicy_GrantedSecretId",
table: "AccessPolicy",
column: "GrantedSecretId");
migrationBuilder.AddForeignKey(
name: "FK_AccessPolicy_Secret_GrantedSecretId",
table: "AccessPolicy",
column: "GrantedSecretId",
principalTable: "Secret",
principalColumn: "Id",
onDelete: ReferentialAction.Cascade);
}
/// <inheritdoc />
protected override void Down(MigrationBuilder migrationBuilder)
{
migrationBuilder.DropForeignKey(
name: "FK_AccessPolicy_Secret_GrantedSecretId",
table: "AccessPolicy");
migrationBuilder.DropIndex(
name: "IX_AccessPolicy_GrantedSecretId",
table: "AccessPolicy");
migrationBuilder.DropColumn(
name: "GrantedSecretId",
table: "AccessPolicy");
}
}

122
util/MySqlMigrations/Migrations/DatabaseContextModelSnapshot.cs
View File

@ -1732,6 +1732,27 @@ namespace Bit.MySqlMigrations.Migrations
b.HasDiscriminator().HasValue("group_project");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
{
b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
b.Property<Guid?>("GrantedSecretId")
.ValueGeneratedOnUpdateSometimes()
.HasColumnType("char(36)")
.HasColumnName("GrantedSecretId");
b.Property<Guid?>("GroupId")
.ValueGeneratedOnUpdateSometimes()
.HasColumnType("char(36)")
.HasColumnName("GroupId");
b.HasIndex("GrantedSecretId");
b.HasIndex("GroupId");
b.HasDiscriminator().HasValue("group_secret");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
{
b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
@ -1763,6 +1784,7 @@ namespace Bit.MySqlMigrations.Migrations
.HasColumnName("GrantedProjectId");
b.Property<Guid?>("ServiceAccountId")
.ValueGeneratedOnUpdateSometimes()
.HasColumnType("char(36)")
.HasColumnName("ServiceAccountId");
@ -1773,6 +1795,27 @@ namespace Bit.MySqlMigrations.Migrations
b.HasDiscriminator().HasValue("service_account_project");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
{
b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
b.Property<Guid?>("GrantedSecretId")
.ValueGeneratedOnUpdateSometimes()
.HasColumnType("char(36)")
.HasColumnName("GrantedSecretId");
b.Property<Guid?>("ServiceAccountId")
.ValueGeneratedOnUpdateSometimes()
.HasColumnType("char(36)")
.HasColumnName("ServiceAccountId");
b.HasIndex("GrantedSecretId");
b.HasIndex("ServiceAccountId");
b.HasDiscriminator().HasValue("service_account_secret");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
{
b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
@ -1794,6 +1837,27 @@ namespace Bit.MySqlMigrations.Migrations
b.HasDiscriminator().HasValue("user_project");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
{
b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
b.Property<Guid?>("GrantedSecretId")
.ValueGeneratedOnUpdateSometimes()
.HasColumnType("char(36)")
.HasColumnName("GrantedSecretId");
b.Property<Guid?>("OrganizationUserId")
.ValueGeneratedOnUpdateSometimes()
.HasColumnType("char(36)")
.HasColumnName("OrganizationUserId");
b.HasIndex("GrantedSecretId");
b.HasIndex("OrganizationUserId");
b.HasDiscriminator().HasValue("user_secret");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
{
b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
@ -2245,6 +2309,23 @@ namespace Bit.MySqlMigrations.Migrations
b.Navigation("Group");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
{
b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
.WithMany("GroupAccessPolicies")
.HasForeignKey("GrantedSecretId")
.OnDelete(DeleteBehavior.Cascade);
b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
.WithMany()
.HasForeignKey("GroupId")
.OnDelete(DeleteBehavior.Cascade);
b.Navigation("GrantedSecret");
b.Navigation("Group");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
{
b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
@ -2277,6 +2358,22 @@ namespace Bit.MySqlMigrations.Migrations
b.Navigation("ServiceAccount");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
{
b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
.WithMany("ServiceAccountAccessPolicies")
.HasForeignKey("GrantedSecretId")
.OnDelete(DeleteBehavior.Cascade);
b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
.WithMany()
.HasForeignKey("ServiceAccountId");
b.Navigation("GrantedSecret");
b.Navigation("ServiceAccount");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
{
b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
@ -2293,6 +2390,22 @@ namespace Bit.MySqlMigrations.Migrations
b.Navigation("OrganizationUser");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
{
b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
.WithMany("UserAccessPolicies")
.HasForeignKey("GrantedSecretId")
.OnDelete(DeleteBehavior.Cascade);
b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
.WithMany()
.HasForeignKey("OrganizationUserId");
b.Navigation("GrantedSecret");
b.Navigation("OrganizationUser");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
{
b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
@ -2376,6 +2489,15 @@ namespace Bit.MySqlMigrations.Migrations
b.Navigation("UserAccessPolicies");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
{
b.Navigation("GroupAccessPolicies");
b.Navigation("ServiceAccountAccessPolicies");
b.Navigation("UserAccessPolicies");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
{
b.Navigation("GroupAccessPolicies");

2532
util/PostgresMigrations/Migrations/20240216170332_AddSecretAccessPolicies.Designer.cs generated Normal file
View File

File diff suppressed because it is too large Load Diff

48
util/PostgresMigrations/Migrations/20240216170332_AddSecretAccessPolicies.cs Normal file
View File

@ -0,0 +1,48 @@
using Microsoft.EntityFrameworkCore.Migrations;
#nullable disable
namespace Bit.PostgresMigrations.Migrations;
/// <inheritdoc />
public partial class AddSecretAccessPolicies : Migration
{
/// <inheritdoc />
protected override void Up(MigrationBuilder migrationBuilder)
{
migrationBuilder.AddColumn<Guid>(
name: "GrantedSecretId",
table: "AccessPolicy",
type: "uuid",
nullable: true);
migrationBuilder.CreateIndex(
name: "IX_AccessPolicy_GrantedSecretId",
table: "AccessPolicy",
column: "GrantedSecretId");
migrationBuilder.AddForeignKey(
name: "FK_AccessPolicy_Secret_GrantedSecretId",
table: "AccessPolicy",
column: "GrantedSecretId",
principalTable: "Secret",
principalColumn: "Id",
onDelete: ReferentialAction.Cascade);
}
/// <inheritdoc />
protected override void Down(MigrationBuilder migrationBuilder)
{
migrationBuilder.DropForeignKey(
name: "FK_AccessPolicy_Secret_GrantedSecretId",
table: "AccessPolicy");
migrationBuilder.DropIndex(
name: "IX_AccessPolicy_GrantedSecretId",
table: "AccessPolicy");
migrationBuilder.DropColumn(
name: "GrantedSecretId",
table: "AccessPolicy");
}
}

122
util/PostgresMigrations/Migrations/DatabaseContextModelSnapshot.cs
View File

@ -1746,6 +1746,27 @@ namespace Bit.PostgresMigrations.Migrations
b.HasDiscriminator().HasValue("group_project");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
{
b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
b.Property<Guid?>("GrantedSecretId")
.ValueGeneratedOnUpdateSometimes()
.HasColumnType("uuid")
.HasColumnName("GrantedSecretId");
b.Property<Guid?>("GroupId")
.ValueGeneratedOnUpdateSometimes()
.HasColumnType("uuid")
.HasColumnName("GroupId");
b.HasIndex("GrantedSecretId");
b.HasIndex("GroupId");
b.HasDiscriminator().HasValue("group_secret");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
{
b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
@ -1777,6 +1798,7 @@ namespace Bit.PostgresMigrations.Migrations
.HasColumnName("GrantedProjectId");
b.Property<Guid?>("ServiceAccountId")
.ValueGeneratedOnUpdateSometimes()
.HasColumnType("uuid")
.HasColumnName("ServiceAccountId");
@ -1787,6 +1809,27 @@ namespace Bit.PostgresMigrations.Migrations
b.HasDiscriminator().HasValue("service_account_project");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
{
b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
b.Property<Guid?>("GrantedSecretId")
.ValueGeneratedOnUpdateSometimes()
.HasColumnType("uuid")
.HasColumnName("GrantedSecretId");
b.Property<Guid?>("ServiceAccountId")
.ValueGeneratedOnUpdateSometimes()
.HasColumnType("uuid")
.HasColumnName("ServiceAccountId");
b.HasIndex("GrantedSecretId");
b.HasIndex("ServiceAccountId");
b.HasDiscriminator().HasValue("service_account_secret");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
{
b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
@ -1808,6 +1851,27 @@ namespace Bit.PostgresMigrations.Migrations
b.HasDiscriminator().HasValue("user_project");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
{
b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
b.Property<Guid?>("GrantedSecretId")
.ValueGeneratedOnUpdateSometimes()
.HasColumnType("uuid")
.HasColumnName("GrantedSecretId");
b.Property<Guid?>("OrganizationUserId")
.ValueGeneratedOnUpdateSometimes()
.HasColumnType("uuid")
.HasColumnName("OrganizationUserId");
b.HasIndex("GrantedSecretId");
b.HasIndex("OrganizationUserId");
b.HasDiscriminator().HasValue("user_secret");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
{
b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
@ -2259,6 +2323,23 @@ namespace Bit.PostgresMigrations.Migrations
b.Navigation("Group");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
{
b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
.WithMany("GroupAccessPolicies")
.HasForeignKey("GrantedSecretId")
.OnDelete(DeleteBehavior.Cascade);
b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
.WithMany()
.HasForeignKey("GroupId")
.OnDelete(DeleteBehavior.Cascade);
b.Navigation("GrantedSecret");
b.Navigation("Group");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
{
b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
@ -2291,6 +2372,22 @@ namespace Bit.PostgresMigrations.Migrations
b.Navigation("ServiceAccount");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
{
b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
.WithMany("ServiceAccountAccessPolicies")
.HasForeignKey("GrantedSecretId")
.OnDelete(DeleteBehavior.Cascade);
b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
.WithMany()
.HasForeignKey("ServiceAccountId");
b.Navigation("GrantedSecret");
b.Navigation("ServiceAccount");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
{
b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
@ -2307,6 +2404,22 @@ namespace Bit.PostgresMigrations.Migrations
b.Navigation("OrganizationUser");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
{
b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
.WithMany("UserAccessPolicies")
.HasForeignKey("GrantedSecretId")
.OnDelete(DeleteBehavior.Cascade);
b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
.WithMany()
.HasForeignKey("OrganizationUserId");
b.Navigation("GrantedSecret");
b.Navigation("OrganizationUser");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
{
b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
@ -2390,6 +2503,15 @@ namespace Bit.PostgresMigrations.Migrations
b.Navigation("UserAccessPolicies");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
{
b.Navigation("GroupAccessPolicies");
b.Navigation("ServiceAccountAccessPolicies");
b.Navigation("UserAccessPolicies");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
{
b.Navigation("GroupAccessPolicies");

2516
util/SqliteMigrations/Migrations/20240216170322_AddSecretAccessPolicies.Designer.cs generated Normal file
View File

File diff suppressed because it is too large Load Diff

48
util/SqliteMigrations/Migrations/20240216170322_AddSecretAccessPolicies.cs Normal file
View File

@ -0,0 +1,48 @@
using Microsoft.EntityFrameworkCore.Migrations;
#nullable disable
namespace Bit.SqliteMigrations.Migrations;
/// <inheritdoc />
public partial class AddSecretAccessPolicies : Migration
{
/// <inheritdoc />
protected override void Up(MigrationBuilder migrationBuilder)
{
migrationBuilder.AddColumn<Guid>(
name: "GrantedSecretId",
table: "AccessPolicy",
type: "TEXT",
nullable: true);
migrationBuilder.CreateIndex(
name: "IX_AccessPolicy_GrantedSecretId",
table: "AccessPolicy",
column: "GrantedSecretId");
migrationBuilder.AddForeignKey(
name: "FK_AccessPolicy_Secret_GrantedSecretId",
table: "AccessPolicy",
column: "GrantedSecretId",
principalTable: "Secret",
principalColumn: "Id",
onDelete: ReferentialAction.Cascade);
}
/// <inheritdoc />
protected override void Down(MigrationBuilder migrationBuilder)
{
migrationBuilder.DropForeignKey(
name: "FK_AccessPolicy_Secret_GrantedSecretId",
table: "AccessPolicy");
migrationBuilder.DropIndex(
name: "IX_AccessPolicy_GrantedSecretId",
table: "AccessPolicy");
migrationBuilder.DropColumn(
name: "GrantedSecretId",
table: "AccessPolicy");
}
}

122
util/SqliteMigrations/Migrations/DatabaseContextModelSnapshot.cs
View File

@ -1730,6 +1730,27 @@ namespace Bit.SqliteMigrations.Migrations
b.HasDiscriminator().HasValue("group_project");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
{
b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
b.Property<Guid?>("GrantedSecretId")
.ValueGeneratedOnUpdateSometimes()
.HasColumnType("TEXT")
.HasColumnName("GrantedSecretId");
b.Property<Guid?>("GroupId")
.ValueGeneratedOnUpdateSometimes()
.HasColumnType("TEXT")
.HasColumnName("GroupId");
b.HasIndex("GrantedSecretId");
b.HasIndex("GroupId");
b.HasDiscriminator().HasValue("group_secret");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
{
b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
@ -1761,6 +1782,7 @@ namespace Bit.SqliteMigrations.Migrations
.HasColumnName("GrantedProjectId");
b.Property<Guid?>("ServiceAccountId")
.ValueGeneratedOnUpdateSometimes()
.HasColumnType("TEXT")
.HasColumnName("ServiceAccountId");
@ -1771,6 +1793,27 @@ namespace Bit.SqliteMigrations.Migrations
b.HasDiscriminator().HasValue("service_account_project");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
{
b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
b.Property<Guid?>("GrantedSecretId")
.ValueGeneratedOnUpdateSometimes()
.HasColumnType("TEXT")
.HasColumnName("GrantedSecretId");
b.Property<Guid?>("ServiceAccountId")
.ValueGeneratedOnUpdateSometimes()
.HasColumnType("TEXT")
.HasColumnName("ServiceAccountId");
b.HasIndex("GrantedSecretId");
b.HasIndex("ServiceAccountId");
b.HasDiscriminator().HasValue("service_account_secret");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
{
b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
@ -1792,6 +1835,27 @@ namespace Bit.SqliteMigrations.Migrations
b.HasDiscriminator().HasValue("user_project");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
{
b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
b.Property<Guid?>("GrantedSecretId")
.ValueGeneratedOnUpdateSometimes()
.HasColumnType("TEXT")
.HasColumnName("GrantedSecretId");
b.Property<Guid?>("OrganizationUserId")
.ValueGeneratedOnUpdateSometimes()
.HasColumnType("TEXT")
.HasColumnName("OrganizationUserId");
b.HasIndex("GrantedSecretId");
b.HasIndex("OrganizationUserId");
b.HasDiscriminator().HasValue("user_secret");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
{
b.HasBaseType("Bit.Infrastructure.EntityFramework.SecretsManager.Models.AccessPolicy");
@ -2243,6 +2307,23 @@ namespace Bit.SqliteMigrations.Migrations
b.Navigation("Group");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupSecretAccessPolicy", b =>
{
b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
.WithMany("GroupAccessPolicies")
.HasForeignKey("GrantedSecretId")
.OnDelete(DeleteBehavior.Cascade);
b.HasOne("Bit.Infrastructure.EntityFramework.Models.Group", "Group")
.WithMany()
.HasForeignKey("GroupId")
.OnDelete(DeleteBehavior.Cascade);
b.Navigation("GrantedSecret");
b.Navigation("Group");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.GroupServiceAccountAccessPolicy", b =>
{
b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
@ -2275,6 +2356,22 @@ namespace Bit.SqliteMigrations.Migrations
b.Navigation("ServiceAccount");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccountSecretAccessPolicy", b =>
{
b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
.WithMany("ServiceAccountAccessPolicies")
.HasForeignKey("GrantedSecretId")
.OnDelete(DeleteBehavior.Cascade);
b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "ServiceAccount")
.WithMany()
.HasForeignKey("ServiceAccountId");
b.Navigation("GrantedSecret");
b.Navigation("ServiceAccount");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserProjectAccessPolicy", b =>
{
b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Project", "GrantedProject")
@ -2291,6 +2388,22 @@ namespace Bit.SqliteMigrations.Migrations
b.Navigation("OrganizationUser");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserSecretAccessPolicy", b =>
{
b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", "GrantedSecret")
.WithMany("UserAccessPolicies")
.HasForeignKey("GrantedSecretId")
.OnDelete(DeleteBehavior.Cascade);
b.HasOne("Bit.Infrastructure.EntityFramework.Models.OrganizationUser", "OrganizationUser")
.WithMany()
.HasForeignKey("OrganizationUserId");
b.Navigation("GrantedSecret");
b.Navigation("OrganizationUser");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.UserServiceAccountAccessPolicy", b =>
{
b.HasOne("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", "GrantedServiceAccount")
@ -2374,6 +2487,15 @@ namespace Bit.SqliteMigrations.Migrations
b.Navigation("UserAccessPolicies");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.Secret", b =>
{
b.Navigation("GroupAccessPolicies");
b.Navigation("ServiceAccountAccessPolicies");
b.Navigation("UserAccessPolicies");
});
modelBuilder.Entity("Bit.Infrastructure.EntityFramework.SecretsManager.Models.ServiceAccount", b =>
{
b.Navigation("GroupAccessPolicies");