1
0
mirror of https://github.com/bitwarden/server.git synced 2024-11-28 13:15:12 +01:00

[EC-92] Add organization vault export to event logs (#2128)

* Added nullable OrganizationId to EventModel

* Added EventType Organization_ClientExportedVault

* Updated CollectController to save the event Organization_ClientExportedVault

* Added OrganizationExportResponseModel to encapsulate Organization Export data

* Added OrganizationExportController to have a single endpoint for Organization vault export

* Added method GetOrganizationCollections to ICollectionService to get collections for an organization

* Added GetOrganizationCiphers to ICipherService to get ciphers for an organization

* Updated controllers to use new methods in ICollectionService and ICipherService
This commit is contained in:
Rui Tomé 2022-07-25 09:56:23 +01:00 committed by GitHub
parent f6a18db582
commit 7dfb04298d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 164 additions and 50 deletions

View File

@ -216,40 +216,12 @@ namespace Bit.Api.Controllers
{ {
var userId = _userService.GetProperUserId(User).Value; var userId = _userService.GetProperUserId(User).Value;
var orgIdGuid = new Guid(organizationId); var orgIdGuid = new Guid(organizationId);
if (!await _currentContext.ViewAllCollections(orgIdGuid) && !await _currentContext.AccessReports(orgIdGuid))
{
throw new NotFoundException();
}
IEnumerable<CipherOrganizationDetails> orgCiphers;
if (await _currentContext.OrganizationAdmin(orgIdGuid))
{
// Admins, Owners and Providers can access all items even if not assigned to them
orgCiphers = await _cipherRepository.GetManyOrganizationDetailsByOrganizationIdAsync(orgIdGuid);
}
else
{
var ciphers = await _cipherRepository.GetManyByUserIdAsync(userId, true);
orgCiphers = ciphers.Where(c => c.OrganizationId == orgIdGuid);
}
var orgCipherIds = orgCiphers.Select(c => c.Id);
var collectionCiphers = await _collectionCipherRepository.GetManyByOrganizationIdAsync(orgIdGuid);
var collectionCiphersGroupDict = collectionCiphers
.Where(c => orgCipherIds.Contains(c.CipherId))
.GroupBy(c => c.CipherId).ToDictionary(s => s.Key);
(IEnumerable<CipherOrganizationDetails> orgCiphers, Dictionary<Guid, IGrouping<Guid, CollectionCipher>> collectionCiphersGroupDict) = await _cipherService.GetOrganizationCiphers(userId, orgIdGuid);
var responses = orgCiphers.Select(c => new CipherMiniDetailsResponseModel(c, _globalSettings, var responses = orgCiphers.Select(c => new CipherMiniDetailsResponseModel(c, _globalSettings,
collectionCiphersGroupDict, c.OrganizationUseTotp)); collectionCiphersGroupDict, c.OrganizationUseTotp));
var providerId = await _currentContext.ProviderIdForOrg(orgIdGuid);
if (providerId.HasValue)
{
await _providerService.LogProviderAccessToOrganizationAsync(orgIdGuid);
}
return new ListResponseModel<CipherMiniDetailsResponseModel>(responses); return new ListResponseModel<CipherMiniDetailsResponseModel>(responses);
} }

View File

@ -75,22 +75,7 @@ namespace Bit.Api.Controllers
[HttpGet("")] [HttpGet("")]
public async Task<ListResponseModel<CollectionResponseModel>> Get(Guid orgId) public async Task<ListResponseModel<CollectionResponseModel>> Get(Guid orgId)
{ {
if (!await _currentContext.ViewAllCollections(orgId) && !await _currentContext.ManageUsers(orgId)) IEnumerable<Collection> orgCollections = await _collectionService.GetOrganizationCollections(orgId);
{
throw new NotFoundException();
}
IEnumerable<Collection> orgCollections;
if (await _currentContext.OrganizationAdmin(orgId))
{
// Admins, Owners and Providers can access all items even if not assigned to them
orgCollections = await _collectionRepository.GetManyByOrganizationIdAsync(orgId);
}
else
{
var collections = await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value);
orgCollections = collections.Where(c => c.OrganizationId == orgId);
}
var responses = orgCollections.Select(c => new CollectionResponseModel(c)); var responses = orgCollections.Select(c => new CollectionResponseModel(c));
return new ListResponseModel<CollectionResponseModel>(responses); return new ListResponseModel<CollectionResponseModel>(responses);

View File

@ -0,0 +1,64 @@
using Bit.Api.Models.Response;
using Bit.Core.Entities;
using Bit.Core.Services;
using Bit.Core.Settings;
using Core.Models.Data;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
namespace Bit.Api.Controllers
{
[Route("organizations/{organizationId}")]
[Authorize("Application")]
public class OrganizationExportController : Controller
{
private readonly IUserService _userService;
private readonly ICollectionService _collectionService;
private readonly ICipherService _cipherService;
private readonly GlobalSettings _globalSettings;
public OrganizationExportController(
ICipherService cipherService,
ICollectionService collectionService,
IUserService userService,
GlobalSettings globalSettings)
{
_cipherService = cipherService;
_collectionService = collectionService;
_userService = userService;
_globalSettings = globalSettings;
}
[HttpGet("export")]
public async Task<OrganizationExportResponseModel> Export(Guid organizationId)
{
var userId = _userService.GetProperUserId(User).Value;
IEnumerable<Collection> orgCollections = await _collectionService.GetOrganizationCollections(organizationId);
(IEnumerable<CipherOrganizationDetails> orgCiphers, Dictionary<Guid, IGrouping<Guid, CollectionCipher>> collectionCiphersGroupDict) = await _cipherService.GetOrganizationCiphers(userId, organizationId);
var result = new OrganizationExportResponseModel
{
Collections = GetOrganizationCollectionsResponse(orgCollections),
Ciphers = await GetOrganizationCiphersResponse(orgCiphers, collectionCiphersGroupDict)
};
return result;
}
private ListResponseModel<CollectionResponseModel> GetOrganizationCollectionsResponse(IEnumerable<Collection> orgCollections)
{
var collections = orgCollections.Select(c => new CollectionResponseModel(c));
return new ListResponseModel<CollectionResponseModel>(collections);
}
private async Task<ListResponseModel<CipherMiniDetailsResponseModel>> GetOrganizationCiphersResponse(IEnumerable<CipherOrganizationDetails> orgCiphers,
Dictionary<Guid, IGrouping<Guid, CollectionCipher>> collectionCiphersGroupDict)
{
var responses = orgCiphers.Select(c => new CipherMiniDetailsResponseModel(c, _globalSettings,
collectionCiphersGroupDict, c.OrganizationUseTotp));
return new ListResponseModel<CipherMiniDetailsResponseModel>(responses);
}
}
}

View File

@ -0,0 +1,13 @@
namespace Bit.Api.Models.Response
{
public class OrganizationExportResponseModel
{
public OrganizationExportResponseModel()
{
}
public ListResponseModel<CollectionResponseModel> Collections { get; set; }
public ListResponseModel<CipherMiniDetailsResponseModel> Ciphers { get; set; }
}
}

View File

@ -56,7 +56,7 @@
Organization_Updated = 1600, Organization_Updated = 1600,
Organization_PurgedVault = 1601, Organization_PurgedVault = 1601,
// Organization_ClientExportedVault = 1602, Organization_ClientExportedVault = 1602,
Organization_VaultAccessed = 1603, Organization_VaultAccessed = 1603,
Organization_EnabledSso = 1604, Organization_EnabledSso = 1604,
Organization_DisabledSso = 1605, Organization_DisabledSso = 1605,

View File

@ -39,5 +39,6 @@ namespace Bit.Core.Services
Task UploadFileForExistingAttachmentAsync(Stream stream, Cipher cipher, CipherAttachment.MetaData attachmentId); Task UploadFileForExistingAttachmentAsync(Stream stream, Cipher cipher, CipherAttachment.MetaData attachmentId);
Task<AttachmentResponseData> GetAttachmentDownloadDataAsync(Cipher cipher, string attachmentId); Task<AttachmentResponseData> GetAttachmentDownloadDataAsync(Cipher cipher, string attachmentId);
Task<bool> ValidateCipherAttachmentFile(Cipher cipher, CipherAttachment.MetaData attachmentData); Task<bool> ValidateCipherAttachmentFile(Cipher cipher, CipherAttachment.MetaData attachmentData);
Task<(IEnumerable<CipherOrganizationDetails>, Dictionary<Guid, IGrouping<Guid, CollectionCipher>>)> GetOrganizationCiphers(Guid userId, Guid organizationId);
} }
} }

View File

@ -8,5 +8,6 @@ namespace Bit.Core.Services
Task SaveAsync(Collection collection, IEnumerable<SelectionReadOnly> groups = null, Guid? assignUserId = null); Task SaveAsync(Collection collection, IEnumerable<SelectionReadOnly> groups = null, Guid? assignUserId = null);
Task DeleteAsync(Collection collection); Task DeleteAsync(Collection collection);
Task DeleteUserAsync(Collection collection, Guid organizationUserId); Task DeleteUserAsync(Collection collection, Guid organizationUserId);
Task<IEnumerable<Collection>> GetOrganizationCollections(Guid organizationId);
} }
} }

View File

@ -1,4 +1,5 @@
using System.Text.Json; using System.Text.Json;
using Bit.Core.Context;
using Bit.Core.Entities; using Bit.Core.Entities;
using Bit.Core.Enums; using Bit.Core.Enums;
using Bit.Core.Exceptions; using Bit.Core.Exceptions;
@ -29,6 +30,8 @@ namespace Bit.Core.Services
private readonly GlobalSettings _globalSettings; private readonly GlobalSettings _globalSettings;
private const long _fileSizeLeeway = 1024L * 1024L; // 1MB private const long _fileSizeLeeway = 1024L * 1024L; // 1MB
private readonly IReferenceEventService _referenceEventService; private readonly IReferenceEventService _referenceEventService;
private readonly ICurrentContext _currentContext;
private readonly IProviderService _providerService;
public CipherService( public CipherService(
ICipherRepository cipherRepository, ICipherRepository cipherRepository,
@ -43,7 +46,8 @@ namespace Bit.Core.Services
IUserService userService, IUserService userService,
IPolicyRepository policyRepository, IPolicyRepository policyRepository,
GlobalSettings globalSettings, GlobalSettings globalSettings,
IReferenceEventService referenceEventService) IReferenceEventService referenceEventService,
ICurrentContext currentContext)
{ {
_cipherRepository = cipherRepository; _cipherRepository = cipherRepository;
_folderRepository = folderRepository; _folderRepository = folderRepository;
@ -58,6 +62,7 @@ namespace Bit.Core.Services
_policyRepository = policyRepository; _policyRepository = policyRepository;
_globalSettings = globalSettings; _globalSettings = globalSettings;
_referenceEventService = referenceEventService; _referenceEventService = referenceEventService;
_currentContext = currentContext;
} }
public async Task SaveAsync(Cipher cipher, Guid savingUserId, DateTime? lastKnownRevisionDate, public async Task SaveAsync(Cipher cipher, Guid savingUserId, DateTime? lastKnownRevisionDate,
@ -845,6 +850,41 @@ namespace Bit.Core.Services
await _pushService.PushSyncCiphersAsync(restoringUserId); await _pushService.PushSyncCiphersAsync(restoringUserId);
} }
public async Task<(IEnumerable<CipherOrganizationDetails>, Dictionary<Guid, IGrouping<Guid, CollectionCipher>>)> GetOrganizationCiphers(Guid userId, Guid organizationId)
{
if (!await _currentContext.ViewAllCollections(organizationId) && !await _currentContext.AccessReports(organizationId))
{
throw new NotFoundException();
}
IEnumerable<CipherOrganizationDetails> orgCiphers;
if (await _currentContext.OrganizationAdmin(organizationId))
{
// Admins, Owners and Providers can access all items even if not assigned to them
orgCiphers = await _cipherRepository.GetManyOrganizationDetailsByOrganizationIdAsync(organizationId);
}
else
{
var ciphers = await _cipherRepository.GetManyByUserIdAsync(userId, true);
orgCiphers = ciphers.Where(c => c.OrganizationId == organizationId);
}
var orgCipherIds = orgCiphers.Select(c => c.Id);
var collectionCiphers = await _collectionCipherRepository.GetManyByOrganizationIdAsync(organizationId);
var collectionCiphersGroupDict = collectionCiphers
.Where(c => orgCipherIds.Contains(c.CipherId))
.GroupBy(c => c.CipherId).ToDictionary(s => s.Key);
var providerId = await _currentContext.ProviderIdForOrg(organizationId);
if (providerId.HasValue)
{
await _providerService.LogProviderAccessToOrganizationAsync(organizationId);
}
return (orgCiphers, collectionCiphersGroupDict);
}
private async Task<bool> UserCanEditAsync(Cipher cipher, Guid userId) private async Task<bool> UserCanEditAsync(Cipher cipher, Guid userId)
{ {
if (!cipher.OrganizationId.HasValue && cipher.UserId.HasValue && cipher.UserId.Value == userId) if (!cipher.OrganizationId.HasValue && cipher.UserId.HasValue && cipher.UserId.Value == userId)

View File

@ -1,4 +1,5 @@
using Bit.Core.Entities; using Bit.Core.Context;
using Bit.Core.Entities;
using Bit.Core.Enums; using Bit.Core.Enums;
using Bit.Core.Exceptions; using Bit.Core.Exceptions;
using Bit.Core.Models.Business; using Bit.Core.Models.Business;
@ -16,6 +17,7 @@ namespace Bit.Core.Services
private readonly IUserRepository _userRepository; private readonly IUserRepository _userRepository;
private readonly IMailService _mailService; private readonly IMailService _mailService;
private readonly IReferenceEventService _referenceEventService; private readonly IReferenceEventService _referenceEventService;
private readonly ICurrentContext _currentContext;
public CollectionService( public CollectionService(
IEventService eventService, IEventService eventService,
@ -24,7 +26,8 @@ namespace Bit.Core.Services
ICollectionRepository collectionRepository, ICollectionRepository collectionRepository,
IUserRepository userRepository, IUserRepository userRepository,
IMailService mailService, IMailService mailService,
IReferenceEventService referenceEventService) IReferenceEventService referenceEventService,
ICurrentContext currentContext)
{ {
_eventService = eventService; _eventService = eventService;
_organizationRepository = organizationRepository; _organizationRepository = organizationRepository;
@ -33,6 +36,7 @@ namespace Bit.Core.Services
_userRepository = userRepository; _userRepository = userRepository;
_mailService = mailService; _mailService = mailService;
_referenceEventService = referenceEventService; _referenceEventService = referenceEventService;
_currentContext = currentContext;
} }
public async Task SaveAsync(Collection collection, IEnumerable<SelectionReadOnly> groups = null, public async Task SaveAsync(Collection collection, IEnumerable<SelectionReadOnly> groups = null,
@ -111,5 +115,27 @@ namespace Bit.Core.Services
await _collectionRepository.DeleteUserAsync(collection.Id, organizationUserId); await _collectionRepository.DeleteUserAsync(collection.Id, organizationUserId);
await _eventService.LogOrganizationUserEventAsync(orgUser, Enums.EventType.OrganizationUser_Updated); await _eventService.LogOrganizationUserEventAsync(orgUser, Enums.EventType.OrganizationUser_Updated);
} }
public async Task<IEnumerable<Collection>> GetOrganizationCollections(Guid organizationId)
{
if (!await _currentContext.ViewAllCollections(organizationId) && !await _currentContext.ManageUsers(organizationId))
{
throw new NotFoundException();
}
IEnumerable<Collection> orgCollections;
if (await _currentContext.OrganizationAdmin(organizationId))
{
// Admins, Owners and Providers can access all items even if not assigned to them
orgCollections = await _collectionRepository.GetManyByOrganizationIdAsync(organizationId);
}
else
{
var collections = await _collectionRepository.GetManyByUserIdAsync(_currentContext.UserId.Value);
orgCollections = collections.Where(c => c.OrganizationId == organizationId);
}
return orgCollections;
}
} }
} }

View File

@ -17,15 +17,18 @@ namespace Bit.Events.Controllers
private readonly ICurrentContext _currentContext; private readonly ICurrentContext _currentContext;
private readonly IEventService _eventService; private readonly IEventService _eventService;
private readonly ICipherRepository _cipherRepository; private readonly ICipherRepository _cipherRepository;
private readonly IOrganizationRepository _organizationRepository;
public CollectController( public CollectController(
ICurrentContext currentContext, ICurrentContext currentContext,
IEventService eventService, IEventService eventService,
ICipherRepository cipherRepository) ICipherRepository cipherRepository,
IOrganizationRepository organizationRepository)
{ {
_currentContext = currentContext; _currentContext = currentContext;
_eventService = eventService; _eventService = eventService;
_cipherRepository = cipherRepository; _cipherRepository = cipherRepository;
_organizationRepository = organizationRepository;
} }
[HttpPost] [HttpPost]
@ -78,6 +81,14 @@ namespace Bit.Events.Controllers
} }
cipherEvents.Add(new Tuple<Cipher, EventType, DateTime?>(cipher, eventModel.Type, eventModel.Date)); cipherEvents.Add(new Tuple<Cipher, EventType, DateTime?>(cipher, eventModel.Type, eventModel.Date));
break; break;
case EventType.Organization_ClientExportedVault:
if (!eventModel.OrganizationId.HasValue)
{
continue;
}
var organization = await _organizationRepository.GetByIdAsync(eventModel.OrganizationId.Value);
await _eventService.LogOrganizationEventAsync(organization, eventModel.Type, eventModel.Date);
break;
default: default:
continue; continue;
} }

View File

@ -7,5 +7,6 @@ namespace Bit.Events.Models
public EventType Type { get; set; } public EventType Type { get; set; }
public Guid? CipherId { get; set; } public Guid? CipherId { get; set; }
public DateTime Date { get; set; } public DateTime Date { get; set; }
public Guid? OrganizationId { get; set; }
} }
} }